RFR: 8269039: Disable SHA-1 Signed JARs [v5]

Sean Mullan mullan at openjdk.java.net
Mon Sep 20 17:26:12 UTC 2021


> This change will disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. The specific details are more fully described in the CSR: https://bugs.openjdk.java.net/browse/JDK-8272155.
> 
> Some additional notes about the fix:
> 
> - This change was previously backed out of JDK 17 and delayed because of performance regressions. The overall performance is still to be verified, but the primary bottlenecks were addressed as follows:
>     - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on `java.text.SimpleDateFormat` to format date fields which is expensive.
>     - the `jdkCA` constraint has been removed as this caused the `cacerts` keystore to be loaded. Applications  using SHA-1 JARs signed by certificates that chain back to private CAs and are impacted by the restrictions can, at their own risk, adjust the properties and add back in the `jdkCA` constraint.
>  - `jarsigner` has been enhanced to more accurately warn about algorithms that are disabled based on the constraints specified in the security properties. Previously it had used a simpler scheme which did not take into account constraints such as `Usage` or `DenyAfter`. Similar changes should also be made to `keytool` but that will be addressed in a separate issue.
>  - Some SHA-1 JARs used by tests where it does not affect the results have been re-signed with SHA-2 algorithms.

Sean Mullan has updated the pull request incrementally with one additional commit since the last revision:

  Rename JarConstraintsParameter.init to addToCertsAndKeys. Add more comments
  describing PKIX date() method.

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/5320/files
  - new: https://git.openjdk.java.net/jdk/pull/5320/files/ee2d3080..3f942e52

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=04
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5320&range=03-04

  Stats: 16 lines in 2 files changed: 5 ins; 0 del; 11 mod
  Patch: https://git.openjdk.java.net/jdk/pull/5320.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320

PR: https://git.openjdk.java.net/jdk/pull/5320


More information about the security-dev mailing list