Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8355219

Change the default key manager to PKIX

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P3 P3
    • None
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      1) Customers using local certificates signed using algorithms prohibited by the default configuration (notably MD5 and SHA1) no longer will be able to use such certificates without modifying algorithm constraints in `java.security` config file.
      2) Performance impact: there is about x2 performance decrease for full (non-resume) TLS handshake.
      Show
      1) Customers using local certificates signed using algorithms prohibited by the default configuration (notably MD5 and SHA1) no longer will be able to use such certificates without modifying algorithm constraints in `java.security` config file. 2) Performance impact: there is about x2 performance decrease for full (non-resume) TLS handshake.
    • System or security property
    • SE

      Summary

      Change the default key manager from "SunX509" to "PKIX"

      Problem

      Current default SunX509 Key Manager doesn't check local certificate signature against local algorithm constraints and also against peer-supported algorithms supplied by TLS peer with ClientHello or with CertificateRequest commands (per TLSv1.3 RFC).

      Solution

      • Change the default key manager from "SunX509" to "PKIX" in java.security config file.
      • Update "Security Developer's Guide" documentation.

      Specification

      1) The javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm() method will return "PKIX" since by default it is specified to read the value of the ssl.KeyManagerFactory.algorithm security property. If the property does not exist, the implementation will also return "PKIX" instead of "SunX509".

      2) java.security:

       - ssl.KeyManagerFactory.algorithm=SunX509
 + ssl.KeyManagerFactory.algorithm=PKIX

      3) Security Developer’s Guide:

      "SunX509" is currently listed as the default value for KeyManager, change it to
"PKIX"

            abarashev Artur Barashev
            xuelei Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: