RFR: 8269039: Disable SHA-1 Signed JARs

Tue, 31 Aug 2021 12:05:39 -0700 

This change will disable JARs signed with algorithms using SHA-1 by default, 
and treat them as unsigned. This applies to the algorithms used to digest, 
sign, and optionally timestamp the JAR. It also applies to the signature and 
digest algorithms of the certificates in the certificate chain of the code 
signer and the Timestamp Authority, and any CRLs or OCSP responses that are 
used to verify if those certificates have been revoked. The specific details 
are more fully described in the CSR: 
https://bugs.openjdk.java.net/browse/JDK-8272155.

Some additional notes about the fix:

- This change was previously backed out of JDK 17 and delayed because of 
performance regressions. The overall performance is still to be verified, but 
the primary bottlenecks were addressed as follows:
    - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on 
`java.text.SimpleDateFormat` to format date fields which is expensive.
    - the `jdkCA` constraint has been removed as this caused the `cacerts` 
keystore to be loaded. Applications  using SHA-1 JARs signed by certificates 
that chain back to private CAs and are impacted by the restrictions can, at 
their own risk, adjust the properties and add back in the `jdkCA` constraint.
 - `jarsigner` has been enhanced to more accurately warn about algorithms that 
are disabled based on the constraints specified in the security properties. 
Previously it had used a simpler scheme which did not take into account 
constraints such as `Usage` or `DenyAfter`. Similar changes should also be made 
to `keytool` but that will be addressed in a separate issue.
 - Some SHA-1 JARs used by tests where it does not affect the results have been 
re-signed with SHA-2 algorithms.

-------------

Commit messages:
 - Fix trailing whitespace.
 - Initial revision.

Changes: https://git.openjdk.java.net/jdk/pull/5320/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8269039
  Stats: 643 lines in 27 files changed: 301 ins; 214 del; 128 mod
  Patch: https://git.openjdk.java.net/jdk/pull/5320.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320

PR: https://git.openjdk.java.net/jdk/pull/5320

Reply via email to