RFR: 8269039: Disable SHA-1 Signed JARs

Sean Mullan mullan at openjdk.java.net
Tue Aug 31 19:03:46 UTC 2021 

This change will disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. The specific details are more fully described in the CSR: https://bugs.openjdk.java.net/browse/JDK-8272155.

Some additional notes about the fix:

- This change was previously backed out of JDK 17 and delayed because of performance regressions. The overall performance is still to be verified, but the primary bottlenecks were addressed as follows:
    - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on `java.text.SimpleDateFormat` to format date fields which is expensive.
    - the `jdkCA` constraint has been removed as this caused the `cacerts` keystore to be loaded. Applications  using SHA-1 JARs signed by certificates that chain back to private CAs and are impacted by the restrictions can, at their own risk, adjust the properties and add back in the `jdkCA` constraint.
 - `jarsigner` has been enhanced to more accurately warn about algorithms that are disabled based on the constraints specified in the security properties. Previously it had used a simpler scheme which did not take into account constraints such as `Usage` or `DenyAfter`. Similar changes should also be made to `keytool` but that will be addressed in a separate issue.
 - Some SHA-1 JARs used by tests where it does not affect the results have been re-signed with SHA-2 algorithms.

-------------

Commit messages:
 - Fix trailing whitespace.
 - Initial revision.

Changes: https://git.openjdk.java.net/jdk/pull/5320/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8269039
  Stats: 643 lines in 27 files changed: 301 ins; 214 del; 128 mod
  Patch: https://git.openjdk.java.net/jdk/pull/5320.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320

PR: https://git.openjdk.java.net/jdk/pull/5320

More information about the security-dev mailing list