Integrated: 8269039: Disable SHA-1 Signed JARs
mullan at openjdk.java.net
Tue Sep 21 13:49:35 UTC 2021
On Tue, 31 Aug 2021 18:53:36 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> This change will disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. The specific details are more fully described in the CSR: https://bugs.openjdk.java.net/browse/JDK-8272155.
> Some additional notes about the fix:
> - This change was previously backed out of JDK 17 and delayed because of performance regressions. The overall performance is still to be verified, but the primary bottlenecks were addressed as follows:
> - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on `java.text.SimpleDateFormat` to format date fields which is expensive.
> - the `jdkCA` constraint has been removed as this caused the `cacerts` keystore to be loaded. Applications using SHA-1 JARs signed by certificates that chain back to private CAs and are impacted by the restrictions can, at their own risk, adjust the properties and add back in the `jdkCA` constraint.
> - `jarsigner` has been enhanced to more accurately warn about algorithms that are disabled based on the constraints specified in the security properties. Previously it had used a simpler scheme which did not take into account constraints such as `Usage` or `DenyAfter`. Similar changes should also be made to `keytool` but that will be addressed in a separate issue.
> - Some SHA-1 JARs used by tests where it does not affect the results have been re-signed with SHA-2 algorithms.
This pull request has now been integrated.
Author: Sean Mullan <mullan at openjdk.org>
Stats: 666 lines in 27 files changed: 314 ins; 214 del; 138 mod
8269039: Disable SHA-1 Signed JARs
More information about the compiler-dev