-
CSR
-
Resolution: Unresolved
-
P3
-
None
-
None
-
behavioral
-
low
-
-
System or security property
-
SE
Summary
Change the default key manager from "SunX509" to "PKIX"
Problem
Current default SunX509 Key Manager doesn't check local certificate signature against local algorithm constraints and also against peer-supported algorithms supplied by TLS peer with ClientHello or with CertificateRequest commands (per TLSv1.3 RFC).
Solution
- Change the default key manager from "SunX509" to "PKIX" in
java.security
config file. - Update "Security Developer's Guide" documentation.
Specification
1) The javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()
method will return "PKIX" since by default it is specified to read the value of the ssl.KeyManagerFactory.algorithm
security property. If the property does not exist, the implementation will also return "PKIX" instead of "SunX509".
2) java.security:
- ssl.KeyManagerFactory.algorithm=SunX509
+ ssl.KeyManagerFactory.algorithm=PKIX
3) Security Developer’s Guide:
"SunX509" is currently listed as the default value for KeyManager, change it to
"PKIX"
- csr of
-
JDK-8272875 Change the default key manager to PKIX
-
- In Progress
-