> This change will disable JARs signed with algorithms using SHA-1 by default, > and treat them as unsigned. This applies to the algorithms used to digest, > sign, and optionally timestamp the JAR. It also applies to the signature and > digest algorithms of the certificates in the certificate chain of the code > signer and the Timestamp Authority, and any CRLs or OCSP responses that are > used to verify if those certificates have been revoked. The specific details > are more fully described in the CSR: > https://bugs.openjdk.java.net/browse/JDK-8272155. > > Some additional notes about the fix: > > - This change was previously backed out of JDK 17 and delayed because of > performance regressions. The overall performance is still to be verified, but > the primary bottlenecks were addressed as follows: > - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on > `java.text.SimpleDateFormat` to format date fields which is expensive. > - the `jdkCA` constraint has been removed as this caused the `cacerts` > keystore to be loaded. Applications using SHA-1 JARs signed by certificates > that chain back to private CAs and are impacted by the restrictions can, at > their own risk, adjust the properties and add back in the `jdkCA` constraint. > - `jarsigner` has been enhanced to more accurately warn about algorithms > that are disabled based on the constraints specified in the security > properties. Previously it had used a simpler scheme which did not take into > account constraints such as `Usage` or `DenyAfter`. Similar changes should > also be made to `keytool` but that will be addressed in a separate issue. > - Some SHA-1 JARs used by tests where it does not affect the results have > been re-signed with SHA-2 algorithms.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Rename JarConstraintsParameter.init to addToCertsAndKeys. Add more comments describing PKIX date() method. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5320/files - new: https://git.openjdk.java.net/jdk/pull/5320/files/ee2d3080..3f942e52 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=03-04 Stats: 16 lines in 2 files changed: 5 ins; 0 del; 11 mod Patch: https://git.openjdk.java.net/jdk/pull/5320.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320 PR: https://git.openjdk.java.net/jdk/pull/5320