-
Sub-task
-
Resolution: Fixed
-
P4
-
None
A additional constraint should be added to the jdk.certpath.disabledAlgorithms security property to allow for further granularity and flexibility.
A NotAfterConstraint can be used to block certificates that expire after a certain date, or in the case of signed JARs, allow them to be used if timestamped before that date. This type of constraint is useful for sunsetting algorithms that are weak and should not be used after a certain point in the future but also allow existing certificates that expire before that date, or signed JARs that have been timestamped before that date, to continue working.
Proposed syntax:
# NotAfterConstraint:
# notAfter Date
#
# Date
# YYYYMMDD
All dates are interpreted in the GMT timezone. Example:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, SHA-1 notAfter 20170101 eku serverAuth, clientAuth, codeSigning
A NotAfterConstraint can be used to block certificates that expire after a certain date, or in the case of signed JARs, allow them to be used if timestamped before that date. This type of constraint is useful for sunsetting algorithms that are weak and should not be used after a certain point in the future but also allow existing certificates that expire before that date, or signed JARs that have been timestamped before that date, to continue working.
Proposed syntax:
# NotAfterConstraint:
# notAfter Date
#
# Date
# YYYYMMDD
All dates are interpreted in the GMT timezone. Example:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, SHA-1 notAfter 20170101 eku serverAuth, clientAuth, codeSigning