> This change will disable JARs signed with algorithms using SHA-1 by default, > and treat them as unsigned. This applies to the algorithms used to digest, > sign, and optionally timestamp the JAR. It also applies to the signature and > digest algorithms of the certificates in the certificate chain of the code > signer and the Timestamp Authority, and any CRLs or OCSP responses that are > used to verify if those certificates have been revoked. The specific details > are more fully described in the CSR: > https://bugs.openjdk.java.net/browse/JDK-8272155. > > Some additional notes about the fix: > > - This change was previously backed out of JDK 17 and delayed because of > performance regressions. The overall performance is still to be verified, but > the primary bottlenecks were addressed as follows: > - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on > `java.text.SimpleDateFormat` to format date fields which is expensive. > - the `jdkCA` constraint has been removed as this caused the `cacerts` > keystore to be loaded. Applications using SHA-1 JARs signed by certificates > that chain back to private CAs and are impacted by the restrictions can, at > their own risk, adjust the properties and add back in the `jdkCA` constraint. > - `jarsigner` has been enhanced to more accurately warn about algorithms > that are disabled based on the constraints specified in the security > properties. Previously it had used a simpler scheme which did not take into > account constraints such as `Usage` or `DenyAfter`. Similar changes should > also be made to `keytool` but that will be addressed in a separate issue. > - Some SHA-1 JARs used by tests where it does not affect the results have > been re-signed with SHA-2 algorithms.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Add back DynStatic.java test which was accidentally removed in prior commit. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5320/files - new: https://git.openjdk.java.net/jdk/pull/5320/files/d797f32a..ae1ea608 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=01-02 Stats: 96 lines in 1 file changed: 96 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5320.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320 PR: https://git.openjdk.java.net/jdk/pull/5320