Skip to content
This repository has been archived by the owner on Feb 2, 2023. It is now read-only.
/ jdk13u-dev Public archive

Commit

Permalink
8241888: Mirror jdk.security.allowNonCaAnchor system property with a …
Browse files Browse the repository at this point in the history
…security one

Reviewed-by: dcherepanov
Backport-of: 1c65145
  • Loading branch information
Alexey Bakhtin authored and Dmitry Cherepanov committed Aug 9, 2021
1 parent 7a64454 commit 9940295
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 7 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -32,9 +32,9 @@

import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters;
import sun.security.util.SecurityProperties;

/**
* Validator implementation built on the PKIX CertPath API. This
Expand Down Expand Up @@ -62,14 +62,14 @@ public final class PKIXValidator extends Validator {
.privilegedGetProperty("com.sun.net.ssl.checkRevocation");

/**
* System property that if set (or set to "true"), allows trust anchor
* certificates to be used if they do not have the proper CA extensions.
* Set to false if prop is not set, or set to any other value.
* System or security property that if set (or set to "true"), allows trust
* anchor certificates to be used if they do not have the proper CA
* extensions. Set to false if prop is not set, or set to any other value.
*/
private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor();
private static boolean allowNonCaAnchor() {
String prop = GetPropertyAction
.privilegedGetProperty("jdk.security.allowNonCaAnchor");
String prop = SecurityProperties
.privilegedGetOverridable("jdk.security.allowNonCaAnchor");
return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true"));
}

Expand Down
13 changes: 13 additions & 0 deletions src/java.base/share/conf/security/java.security
Original file line number Diff line number Diff line change
Expand Up @@ -1311,6 +1311,19 @@ jdk.io.permissionsUseCanonicalPath=false
#
#jdk.security.krb5.default.initiate.credential=always-impersonate

#
# Trust Anchor Certificates - CA Basic Constraint check
#
# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS
# connections) must have the cA Basic Constraint field set to 'true'. Also, if
# they include a Key Usage extension, the keyCertSign bit must be set. These
# checks, enabled by default, can be disabled for backward-compatibility
# purposes with the jdk.security.allowNonCaAnchor System and Security
# properties. In the case that both properties are simultaneously set, the
# System value prevails. The default value of the property is "false".
#
#jdk.security.allowNonCaAnchor=true

#
# JNDI Object Factories Filter
#
Expand Down

1 comment on commit 9940295

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.