8269039: Disable SHA-1 Signed JARs #5320
Conversation
|
|
|
/csr |
|
@seanjmullan this pull request will not be integrated until the CSR request JDK-8272155 for issue JDK-8269039 has been approved. |
|
@seanjmullan The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
|
/label remove core-libs |
|
@AlanBateman |
| this.timestamp = null; | ||
| } | ||
| } | ||
|
|
||
| // extract last certificate and key from chain | ||
| private void init(CertPath cp) { |
There was a problem hiding this comment.
The init name suggests it's only done once at the beginning, but actually it's an accumulation process. Can we find another name?
There was a problem hiding this comment.
I have renamed it to addToCertsAndKeys.
| ? timestamp.getTimestamp() : date(); | ||
| } | ||
| return timestampDate; | ||
| } |
There was a problem hiding this comment.
Can we also add some words to the date() method? Something which tells the major difference between it and timestamp()?
There was a problem hiding this comment.
Done - see latest commit.
There was a problem hiding this comment.
All is good. No any other comment.
…mments describing PKIX date() method.
|
@seanjmullan This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 516 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.
|
|
/integrate |
|
Going to push as commit 6d91a3e.
Your commit was automatically rebased without conflicts. |
openjdk
bot
added
integrated
|
@seanjmullan Pushed as commit 6d91a3e. |
This change will disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. The specific details are more fully described in the CSR: https://bugs.openjdk.java.net/browse/JDK-8272155.
Some additional notes about the fix:
sun.security.util.DisabledAlgorithmConstraintsno longer depends onjava.text.SimpleDateFormatto format date fields which is expensive.jdkCAconstraint has been removed as this caused thecacertskeystore to be loaded. Applications using SHA-1 JARs signed by certificates that chain back to private CAs and are impacted by the restrictions can, at their own risk, adjust the properties and add back in thejdkCAconstraint.jarsignerhas been enhanced to more accurately warn about algorithms that are disabled based on the constraints specified in the security properties. Previously it had used a simpler scheme which did not take into account constraints such asUsageorDenyAfter. Similar changes should also be made tokeytoolbut that will be addressed in a separate issue.Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320$ git checkout pull/5320Update a local copy of the PR:
$ git checkout pull/5320$ git pull https://git.openjdk.java.net/jdk pull/5320/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 5320View PR using the GUI difftool:
$ git pr show -t 5320Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/5320.diff