Summary

No longer trust certificates issued by the old Sun Microsystems JCE Certificate Authority.

Problem

The Oracle (previously Sun) JCE Certificate Authority has been in operation for 25+ years. This program issues code-signing certificates to customers so that they can create third-party JCE cryptographic providers for use in the Oracle JDK (or Oracle JDK-derived distributions). Certificates are issued only if the customer provides assurances that they will follow all applicable export regulations.

The currently acceptable JCE root certificates are:

• a certificate issued by Sun Microsystems Inc. This has a 1024-bit DSA key and a SHA1withDSA signature algorithm, and expired in April 2020.
• a certificate issued by Oracle Corporation. This has a 2048-bit RSA key and a SHA256withRSA signature algorithm. It is valid from 2016-2030.

1024-bit DSA key lengths and SHA1withDSA signatures are no longer considered acceptable (safe).

Certificates issued after April 2016 by the Oracle JCE CMS program chain to the latter certificate, but our JCE third-party verification code currently accepts either root certificate.

Solution

We will no longer accept certificates chained from the expired, now insecure root CA certificate. These certificates issued under the old Sun CA program were valid for 5 years and expired in 2021 at the latest.

Specification

Certificates signed by the expired CA certificate are no longer trusted.

-/* Sun:
-Owner: CN=JCE Code Signing CA, OU=Java Software Code Signing,
-O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
-Issuer: CN=JCE Code Signing CA, OU=Java Software Code Signing,
    -O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
-Serial number: 10
-Valid from: Wed Apr 25 00:00:00 PDT 2001 until: Sat Apr 25 00:00:00 PDT 2020
-Certificate fingerprints:
-         MD5:  66:25:5A:78:3E:1A:CA:06:C1:43:A6:15:AE:BE:A5:92
-         SHA1: 57:37:D1:E1:16:2F:F6:FE:26:B9:87:88:D2:86:DA:66:7F:98:54:3C
-*/