8269039: Disable SHA-1 Signed JARs

[seanjmullan]

This change will disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. The specific details are more fully described in the CSR: https://bugs.openjdk.java.net/browse/JDK-8272155.

Some additional notes about the fix:

• This change was previously backed out of JDK 17 and delayed because of performance regressions. The overall performance is still to be verified, but the primary bottlenecks were addressed as follows:
  • sun.security.util.DisabledAlgorithmConstraints no longer depends on java.text.SimpleDateFormat to format date fields which is expensive.
  • the jdkCA constraint has been removed as this caused the cacerts keystore to be loaded. Applications using SHA-1 JARs signed by certificates that chain back to private CAs and are impacted by the restrictions can, at their own risk, adjust the properties and add back in the jdkCA constraint.
• jarsigner has been enhanced to more accurately warn about algorithms that are disabled based on the constraints specified in the security properties. Previously it had used a simpler scheme which did not take into account constraints such as Usage or DenyAfter. Similar changes should also be made to keytool but that will be addressed in a separate issue.
• Some SHA-1 JARs used by tests where it does not affect the results have been re-signed with SHA-2 algorithms.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8269039: Disable SHA-1 Signed JARs

Reviewers

• Weijun Wang (@wangweij - Reviewer) ⚠️ Review applies to d797f32

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320
$ git checkout pull/5320

Update a local copy of the PR:
$ git checkout pull/5320
$ git pull https://git.openjdk.java.net/jdk pull/5320/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 5320

View PR using the GUI difftool:
$ git pr show -t 5320

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/5320.diff

[bridgekeeper]

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[seanjmullan]

/csr

[openjdk]

@seanjmullan this pull request will not be integrated until the CSR request JDK-8272155 for issue JDK-8269039 has been approved.

[openjdk]

@seanjmullan The following labels will be automatically applied to this pull request:

• compiler
• core-libs
• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 04: Full - Incremental (3f942e52)
• 03: Full - Incremental (ee2d3080)
• 02: Full - Incremental (ae1ea608)
• 01: Full - Incremental (d797f32a)
• 00: Full (626f7ed8)

[AlanBateman]

/label remove core-libs

[openjdk]

@AlanBateman
The core-libs label was successfully removed.

[wangweij]

The init name suggests it's only done once at the beginning, but actually it's an accumulation process. Can we find another name?

[seanjmullan]

I have renamed it to addToCertsAndKeys.

[wangweij]

Can we also add some words to the date() method? Something which tells the major difference between it and timestamp()?

[seanjmullan]

Done - see latest commit.

[wangweij]

All is good. No any other comment.

[openjdk]

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8269039: Disable SHA-1 Signed JARs

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 516 new commits pushed to the master branch:

• 5c21c00: 8267163: Rename anonymous loader tests to hidden loader tests
• b3b4b1c: 8273907: Cleanup redundant Math.max/min calls in DefaultHighlighter
• a67f0f9: 8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
• 26e5e9a: 8273654: JFR: Remove unused SecuritySupport.setAccessible(Field)
• 4b3a4ff: 8273940: vmTestbase/vm/mlvm/meth/stress/gc/callSequencesDuringGC/Test.java crashes in full gc during VM exit
• dad5d27: 8272867: JFR: ManagementSupport.removeBefore() lost coverage
• 48aff23: 8272515: JFR: Names should only be valid Java identifiers
• 4d95a5d: 8273933: [TESTBUG] Test must run without preallocated exceptions
• 9aa12da: 8273934: Remove unused perfcounters
• 4da45c4: 8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
• ... and 506 more: https://git.openjdk.java.net/jdk/compare/bdb50cab79056bb2ac9fe1ba0cf0f237317052da...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[seanjmullan]

/integrate

[openjdk]

Going to push as commit 6d91a3e.
Since your change was applied there have been 534 commits pushed to the master branch:

• 42d5d2a: 8274056: JavaAccessibilityUtilities leaks JNI objects
• 57df0db: 8270873: JFR: Catch DirectoryIteratorException when scanning for .jfr files
• 111d5e1: 8273915: Create 'nosafepoint' rank
• 7acec3f: 8236505: Mark jdk/editpad/EditPadTest.java as @headful
• afd218d: 8274053: [BACKOUT] JDK-8270842: G1: Only young regions need to redirty outside references in remset.
• a5108a6: 8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
• 65ed0a7: 8273655: content-types.properties files are missing some common types
• c60bcd0: 8273928: Use named run ids when problem listing tests
• 6642d2e: 8273783: Simplify Metaspace arena guard handling
• f242cb5: 8273797: Stop impersonating "server" VM in all VM variants
• ... and 524 more: https://git.openjdk.java.net/jdk/compare/bdb50cab79056bb2ac9fe1ba0cf0f237317052da...master

Your commit was automatically rebased without conflicts.

[openjdk]

@seanjmullan Pushed as commit 6d91a3e.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.