On Tue, 31 Aug 2021 18:53:36 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This change will disable JARs signed with algorithms using SHA-1 by default, > and treat them as unsigned. This applies to the algorithms used to digest, > sign, and optionally timestamp the JAR. It also applies to the signature and > digest algorithms of the certificates in the certificate chain of the code > signer and the Timestamp Authority, and any CRLs or OCSP responses that are > used to verify if those certificates have been revoked. The specific details > are more fully described in the CSR: > https://bugs.openjdk.java.net/browse/JDK-8272155. > > Some additional notes about the fix: > > - This change was previously backed out of JDK 17 and delayed because of > performance regressions. The overall performance is still to be verified, but > the primary bottlenecks were addressed as follows: > - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on > `java.text.SimpleDateFormat` to format date fields which is expensive. > - the `jdkCA` constraint has been removed as this caused the `cacerts` > keystore to be loaded. Applications using SHA-1 JARs signed by certificates > that chain back to private CAs and are impacted by the restrictions can, at > their own risk, adjust the properties and add back in the `jdkCA` constraint. > - `jarsigner` has been enhanced to more accurately warn about algorithms > that are disabled based on the constraints specified in the security > properties. Previously it had used a simpler scheme which did not take into > account constraints such as `Usage` or `DenyAfter`. Similar changes should > also be made to `keytool` but that will be addressed in a separate issue. > - Some SHA-1 JARs used by tests where it does not affect the results have > been re-signed with SHA-2 algorithms. This pull request has now been integrated. Changeset: 6d91a3eb Author: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.java.net/jdk/commit/6d91a3eb7bd1e1403cfb67f7eb8ce06d7e08e7a7 Stats: 666 lines in 27 files changed: 314 ins; 214 del; 138 mod 8269039: Disable SHA-1 Signed JARs Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/5320