Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8355219

Change the default key manager to PKIX

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P3 P3
    • None
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      1) Customers using local certificates signed using algorithms prohibited by the default configuration (notably MD5 and SHA1) no longer will be able to use such certificates without modifying algorithm constraints in `java.security` config file.
      2) Performance impact: there is about x2 performance decrease for full (non-resume) TLS handshake.
      Show
      1) Customers using local certificates signed using algorithms prohibited by the default configuration (notably MD5 and SHA1) no longer will be able to use such certificates without modifying algorithm constraints in `java.security` config file. 2) Performance impact: there is about x2 performance decrease for full (non-resume) TLS handshake.
    • System or security property
    • JDK

      Summary

      Change the default key manager from "SunX509" to "PKIX"

      Problem

      Current default SunX509 Key Manager doesn't check local certificate signature against local algorithm constraints and also against peer-supported algorithms supplied by TLS peer with ClientHello or with CertificateRequest commands (per TLSv1.3 RFC).

      Solution

      • Change the default key manager from "SunX509" to "PKIX" in java.security config file.
      • Re-work 3 unit tests broken by the above change.
      • Update "Security Developer's Guide" documentation.

      Specification

      java.security:

       - ssl.KeyManagerFactory.algorithm=SunX509
 + ssl.KeyManagerFactory.algorithm=PKIX

      Security Developer’s Guide:

      "SunX509" is currently listed as the default value for KeyManager, change it to "PKIX"

            abarashev Artur Barashev
            xuelei Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: