Details
-
CSR
-
Resolution: Approved
-
P4
-
None
-
behavioral
-
minimal
-
The introduction of a Security property mirroring an existing System property should not pose any compatibility risk.
-
System or security property
-
JDK
Description
Original CSR: JDK-8241893
Differences with original CSR: none
Summary
Mirror the jdk.security.allowNonCaAnchor System property with a Security one of the same name. In the case that both are simultaneously set, the System property overrides.
Problem
Even though the jdk.security.allowNonCaAnchor System property can be used for backward-compatibility purposes after JDK-8230318, it's not possible to set its value in a global and persistent way: it has to be set as an argument for each JVM invocation.
Solution
By mirroring the jdk.security.allowNonCaAnchor System property with a Security one of the same name, the property value can be set in a global and persistent java.security file.
Specification
X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS connections) must have the cA Basic Constraint field set to 'true'. Also, if they include a Key Usage extension, the keyCertSign bit must be set. These checks, enabled by default, can be disabled for backward-compatibility purposes with the jdk.security.allowNonCaAnchor System and Security properties. In the case that both properties are simultaneously set, the System value prevails.
More information about the jdk.security.allowNonCaAnchor property can be found here.
Attachments
Issue Links
- csr of
-
JDK-8271933 Mirror jdk.security.allowNonCaAnchor system property with a security one
-
- Closed
-