[7u12] request for approval, 7109274, Restrict the use of certificates with RSA keys less than 1024 bits

[Seán Coffey]

Approved.

regards,
Sean.

On 28/12/2012 09:41, Xuelei Fan wrote:
> Hi,
>
> This is a request to backport a JDK 8 fix into JDK 7u12:
>       7109274: Restrict the use of certificates with RSA keys less than
> 1024 bits
>
> The fix has already been pushed to JDK 8:
>       http://hg.openjdk.java.net/jdk8/tl/jdk/rev/645d774b683a
>
> The code changes for jdk7u are identical to the ones in jdk8. The fix is
> simple and no expected risks.
>
> In this update, we are proposing to restrict the use of certificates
> with RSA keys less than 1024 bits in length.  This restriction is
> applied via the Java Security property,
> "jdk.certpath.disabledAlgorithms".  This will impact providers that
> adhere to this security property, for example, the Sun provider and the
> SunJSSE provider.
>
> The security property, "jdk.certpath.disabledAlgorithms", also covers
> the use of the static keys (the key in X.509 certificate) used in TLS.
> Therefore, we don't need to add any further restrictions to the
> "jdk.tls.disabledAlgorithms" security property.
>
> With this key size restriction, those who use X.509 certificates based
> on RSA keys less than 1024 bits will encounter compatibility issues with
> certification path building and validation.  This key size restriction
> also impacts JDK components that validate X.509 certificates, for
> example signed JAR verification, SSL/TLS transportation, HTTPS
> connections, etc.
>
> In order to avoid the compatibility issue, users who use X.509
> certificates with RSA keys less than 1024 bits are recommended to renew
> their certificates with stronger keys.  As a workaround, at their own
> risks, users can adjust the key size restriction security property
> ("jdk.certpath.disabledAlgorithms") to permit smaller key sizes.
>
> I intend to push the change set to
>       ssh://hg.openjdk.java.net/jdk7u/jdk7u-dev-gate/jdk
>
> Regards,
> Xuelei