Code review request, JDK-8168822, Document that algorithm restrictions do not apply to trusted certs

Xuelei Fan xuelei.fan at oracle.com
Thu Oct 27 22:55:06 UTC 2016


Hi Sean,

Thanks for the review.  I will use trust your suggested words.

Xuelei

On 10/28/2016 4:42 AM, Sean Mullan wrote:
> I'm not sure I like the word "trusted". That is too general and fairly
> subjective.
>
> I would say the following: "do not apply to trust anchors or self-signed
> certificates".
>
> --Sean
>
> On 10/26/2016 08:37 PM, Xuelei Fan wrote:
>> New webrev:
>>     http://cr.openjdk.java.net/~xuelei/8168822/webrev.01/
>>
>> On 10/27/2016 8:34 AM, Wang Weijun wrote:
>>> One question: I thought for TLS, you check twice. First using
>>> jdk.tls.disabledAlgorithms on cipher suites etc, and second using
>>> jdk.certpath.disabledAlgorithms on certificates. Why is
>>> jdk.tls.disabledAlgorithms applied to cert at all?
>>>
>> jdk.tls.disabledAlgorithms also check certificates used during
>> handshaking, not only cipher suites.
>>
>>> Thanks
>>> Max
>>>
>>> On 10/27/2016 8:30 AM, Wang Weijun wrote:
>>>> I don't think this applies to jdk.jar.disabledAlgorithms. While the
>>>> private key algorithm and key size are determined by the certificate, I
>>>> think they are always checked even if the end-entity cert is trusted
>>>> (For example, a trusted self-signed cert).
>>>>
>> Make sense to me.  I removed the update on jdk.jar.disabledAlgorithms.
>>
>> Thanks,
>> Xuelei
>>
>>>> Thanks
>>>> Max
>>>>
>>>> On 10/27/2016 8:04 AM, Xuelei Fan wrote:
>>>>> Hi,
>>>>>
>>>>> Please review the simple fix:
>>>>>
>>>>>     http://cr.openjdk.java.net/~xuelei/8168822/webrev/
>>>>>
>>>>> Algorithm restrictions do not apply to trusted certs as the
>>>>> application or customer has made the decision to trust the "trusted
>>>>> cert".  However, this point is not explicit for general developers and
>>>>> users.  We'd better to clarify this point explicitly.
>>>>>
>>>>> In the update, I add a short note for each algorithm constraint
>>>>> security
>>>>> properties:
>>>>>
>>>>>    Note: Algorithm restrictions do not apply to trusted certificates.
>>>>>
>>>>> Doc only update, no new regression test.
>>>>>
>>>>> Thanks,
>>>>> Xuelei


More information about the security-dev mailing list