Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8196415

Disable SHA-1 Signed JARs

    XMLWordPrintable

Details

    Backports

      Description

        Restrict JARs signed with algorithms using SHA-1 by default. This includes the JAR digest and signature algorithm, the timestamp digest algorithm, and the certificate chains of the code signer and Timestamp Authority. See below for exceptions.

        Restricting signed JARs is more complicated than TLS, due to the higher risk of breaking code that has been previously timestamped and may be still in use. The jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms security properties support a denyAfter constraint which can help mitigate this risk by only restricting SHA-1 JARs timestamped after a specific date, ex:

        jdk.jar.disabledAlgorithms=SHA1 denyAfter 2020-04-02

        The Root CAs included in the JDK that support code signing should all be issuing SHA-2 code signing certificates by default, although some may still allow SHA-1 to be requested, mainly for compatibility with older Windows systems that do not support SHA-2.

        The compatibility risk of disabling SHA-1 JARs is much lower in JDK 11 and up, since signed applets and WebStart applications are not supported.

        The current proposal is to disable SHA-1 JARs with the following exceptions:

          1. Any JAR signed and timestamped prior to January 01, 2019 is not restricted. This will allow SHA-1 JARs timestamped prior to this date and still in use to continue to work, but we encourage them to be replaced, as this exception will likely be removed in a future update.

          2. Any JAR signed with SHA-1 certificates that were not issued by (or chain back to) one of the Root CAs that are included in the JDK cacerts keystore is not restricted. Thus, if you are using a CA that is not included in the JDK you will not be affected. This is consistent with the TLS SHA-1 certificate restriction. But also like 1, this exception will likely be removed in a future update.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8264354 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8264355 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8264357 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8267022 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8269320 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8264339 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266298 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266515 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8267030 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            csr for

            CSR - null JDK-8264362 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            is blocked by

            Bug - A problem which impairs or prevents the functions of the product. JDK-8242565 Policy initialization issues when the denyAfter constraint is enabled

            • P3 - Major loss of function.
            • Closed
            relates to

            Enhancement - null JDK-8269039 Disable SHA-1 Signed JARs

            • P3 - Major loss of function.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8266971 JDK-8196415 cause significant startup regressions on apps that include any SHA-1 signed JAR

            • P3 - Major loss of function.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8267100 [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Enhancement - null JDK-8266022 Update jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms in the JSSE Reference Guide

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved
            links to

            Commit Commit openjdk/jdk16u/4ea26b89

            Commit Commit openjdk/jdk/27805775

            Review Review openjdk/jdk16u/111

            Review Review openjdk/jdk/3694

            Review Review openjdk/jdk/3700

            Activity

              People

                mullan Sean Mullan
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: