[RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd party JCE provider

Anthony Scarpino anthony.scarpino at oracle.com
Fri Jul 14 04:25:27 UTC 2017

On 07/12/2017 07:45 AM, Sean Mullan wrote:
> On 7/11/17 3:10 PM, Langer, Christoph wrote:

>> In any case, from what you are saying, I take that I can safely patch 
>> our JDK distribution with this change without doing a bad thing to 
>> security in general, wouldn't you agree?
> Yes, I agree.
> Also, note that you can probably also workaround this issue by adding a 
> specific "SHA1/RSA" constraint to the jdk.certpath.disabledAlgorithms 
> security property.
> --Sean

The problem cannot be resolved by jdk.certpath.disabledAlgorithms. 
Without using X509CertImpl, the non-standard "SHA1/RSA" is not converted 
to "SHA1withRSA" The failing call is in the 
SSLAlgorithConstraints.permit() checks by matching the algorithm name 
with a list of standard supported algorithm names, and therefore fails.


More information about the security-dev mailing list