Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8359956 Support algorithm constraints and certificate checks in SunX509 key manager
  3. JDK-8364529

Release Note: Support Algorithm Constraints and Certificate Checks in SunX509 Key Manager

XMLWordPrintable

      The default "SunX509" `KeyManagerFactory` for TLS now supports the same algorithm constraints and certificate check functionality as the "PKIX" `KeyManagerFactory`. Selection and prioritization of the local certificates chosen by the `KeyManager` is based on the following checks:

      1) Local certificates are checked against peer supported certificate signature algorithms sent with the `signature_algorithms_cert` TLS extension.
      2) Local certificates are checked against TLS algorithm constraints specified in the `jdk.tls.disabledAlgorithms` and `jdk.certpath.disabledAlgorithms` security properties.
      3) Local certificates are prioritized based on validity period and certificate extensions.

      The legacy behavior (no checking of local certificates) of the "SunX509" key manager can be restored by setting the `jdk.tls.SunX509KeyManager.certChecking` system property to `false`.

            abarashev Artur Barashev
            abarashev Artur Barashev
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: