[RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd party JCE provider
Anthony Scarpino
anthony.scarpino at oracle.com
Fri Jul 14 04:25:27 UTC 2017
On 07/12/2017 07:45 AM, Sean Mullan wrote:
> On 7/11/17 3:10 PM, Langer, Christoph wrote:
>> In any case, from what you are saying, I take that I can safely patch
>> our JDK distribution with this change without doing a bad thing to
>> security in general, wouldn't you agree?
>
> Yes, I agree.
>
> Also, note that you can probably also workaround this issue by adding a
> specific "SHA1/RSA" constraint to the jdk.certpath.disabledAlgorithms
> security property.
>
> --Sean
The problem cannot be resolved by jdk.certpath.disabledAlgorithms.
Without using X509CertImpl, the non-standard "SHA1/RSA" is not converted
to "SHA1withRSA" The failing call is in the
SSLAlgorithConstraints.permit() checks by matching the algorithm name
with a list of standard supported algorithm names, and therefore fails.
Tony
More information about the security-dev
mailing list