On Tue, 31 Aug 2021 18:53:36 GMT, Sean Mullan <mul...@openjdk.org> wrote:

> This change will disable JARs signed with algorithms using SHA-1 by default, 
> and treat them as unsigned. This applies to the algorithms used to digest, 
> sign, and optionally timestamp the JAR. It also applies to the signature and 
> digest algorithms of the certificates in the certificate chain of the code 
> signer and the Timestamp Authority, and any CRLs or OCSP responses that are 
> used to verify if those certificates have been revoked. The specific details 
> are more fully described in the CSR: 
> https://bugs.openjdk.java.net/browse/JDK-8272155.
> 
> Some additional notes about the fix:
> 
> - This change was previously backed out of JDK 17 and delayed because of 
> performance regressions. The overall performance is still to be verified, but 
> the primary bottlenecks were addressed as follows:
>     - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on 
> `java.text.SimpleDateFormat` to format date fields which is expensive.
>     - the `jdkCA` constraint has been removed as this caused the `cacerts` 
> keystore to be loaded. Applications  using SHA-1 JARs signed by certificates 
> that chain back to private CAs and are impacted by the restrictions can, at 
> their own risk, adjust the properties and add back in the `jdkCA` constraint.
>  - `jarsigner` has been enhanced to more accurately warn about algorithms 
> that are disabled based on the constraints specified in the security 
> properties. Previously it had used a simpler scheme which did not take into 
> account constraints such as `Usage` or `DenyAfter`. Similar changes should 
> also be made to `keytool` but that will be addressed in a separate issue.
>  - Some SHA-1 JARs used by tests where it does not affect the results have 
> been re-signed with SHA-2 algorithms.

This pull request has now been integrated.

Changeset: 6d91a3eb
Author:    Sean Mullan <mul...@openjdk.org>
URL:       
https://git.openjdk.java.net/jdk/commit/6d91a3eb7bd1e1403cfb67f7eb8ce06d7e08e7a7
Stats:     666 lines in 27 files changed: 314 ins; 214 del; 138 mod

8269039: Disable SHA-1 Signed JARs

Reviewed-by: weijun

-------------

PR: https://git.openjdk.java.net/jdk/pull/5320

Reply via email to