Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8241893

Mirror jdk.security.allowNonCaAnchor system property with a security one

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 15
    • security-libs
    • None
    • behavioral
    • minimal
    • The introduction of a Security property mirroring an existing System property should not pose any compatibility risk.
    • System or security property
    • JDK

      Summary

      Mirror the jdk.security.allowNonCaAnchor System property with a Security one of the same name. In the case that both are simultaneously set, the System property overrides.

      Problem

      Even though the jdk.security.allowNonCaAnchor System property can be used for backward-compatibility purposes after JDK-8230318, it's not possible to set its value in a global and persistent way: it has to be set as an argument for each JVM invocation.

      Solution

      By mirroring the jdk.security.allowNonCaAnchor System property with a Security one of the same name, the property value can be set in a global and persistent java.security file.

      Specification

      X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS connections) must have the cA Basic Constraint field set to 'true'. Also, if they include a Key Usage extension, the keyCertSign bit must be set. These checks, enabled by default, can be disabled for backward-compatibility purposes with the jdk.security.allowNonCaAnchor System and Security properties. In the case that both properties are simultaneously set, the System value prevails.

      More information about the jdk.security.allowNonCaAnchor property can be found here.

            mbalao Martin Balao Alonso
            mbalao Martin Balao Alonso
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: