Skip to content
Permalink
Browse files

8241888: Mirror jdk.security.allowNonCaAnchor system property with a …

…security one

Reviewed-by: mullan
  • Loading branch information
martinuy committed Apr 2, 2020
1 parent 1cca0e4 commit 1c651455a75ff21770bb3b112a440396fce402a5
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,9 +32,9 @@

import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters;
import sun.security.util.SecurityProperties;

/**
* Validator implementation built on the PKIX CertPath API. This
@@ -62,14 +62,14 @@
.privilegedGetProperty("com.sun.net.ssl.checkRevocation");

/**
* System property that if set (or set to "true"), allows trust anchor
* certificates to be used if they do not have the proper CA extensions.
* Set to false if prop is not set, or set to any other value.
* System or security property that if set (or set to "true"), allows trust
* anchor certificates to be used if they do not have the proper CA
* extensions. Set to false if prop is not set, or set to any other value.
*/
private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor();
private static boolean allowNonCaAnchor() {
String prop = GetPropertyAction
.privilegedGetProperty("jdk.security.allowNonCaAnchor");
String prop = SecurityProperties
.privilegedGetOverridable("jdk.security.allowNonCaAnchor");
return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true"));
}

@@ -1301,3 +1301,16 @@ jdk.io.permissionsUseCanonicalPath=false
# security property value defined here.
#
#jdk.security.krb5.default.initiate.credential=always-impersonate

#
# Trust Anchor Certificates - CA Basic Constraint check
#
# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS
# connections) must have the cA Basic Constraint field set to 'true'. Also, if
# they include a Key Usage extension, the keyCertSign bit must be set. These
# checks, enabled by default, can be disabled for backward-compatibility
# purposes with the jdk.security.allowNonCaAnchor System and Security
# properties. In the case that both properties are simultaneously set, the
# System value prevails. The default value of the property is "false".
#
#jdk.security.allowNonCaAnchor=true

0 comments on commit 1c65145

Please sign in to comment.