diff options
author | mullan <unknown> | 2019-03-01 00:55:45 +0000 |
---|---|---|
committer | bell-sw <liberica@bell-sw.com> | 2019-04-20 16:52:16 +0300 |
commit | 27ed098d2e231b1f7ed3d0a19f29bfc17cdea993 (patch) | |
tree | d2281e33bfc00f95af14e07b3bcf548190cf9baa /src/share | |
parent | d74e815fbe0eb026f5c0ee20a56ae4dc21f54e64 (diff) | |
download | jdk8u_jdk-27ed098d2e231b1f7ed3d0a19f29bfc17cdea993.tar.gz |
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
Summary: Add class CADistrustPolicy and distrust Symantec.
Reviewed-by: weijun
Diffstat (limited to 'src/share')
-rw-r--r-- | src/share/classes/sun/security/validator/CADistrustPolicy.java | 105 | ||||
-rw-r--r-- | src/share/classes/sun/security/validator/EndEntityChecker.java | 27 | ||||
-rw-r--r-- | src/share/classes/sun/security/validator/SymantecTLSPolicy.java | 199 | ||||
-rw-r--r-- | src/share/classes/sun/security/validator/Validator.java | 4 | ||||
-rw-r--r-- | src/share/lib/security/java.security-aix | 30 | ||||
-rw-r--r-- | src/share/lib/security/java.security-linux | 30 | ||||
-rw-r--r-- | src/share/lib/security/java.security-macosx | 30 | ||||
-rw-r--r-- | src/share/lib/security/java.security-solaris | 30 | ||||
-rw-r--r-- | src/share/lib/security/java.security-windows | 30 |
9 files changed, 473 insertions, 12 deletions
diff --git a/src/share/classes/sun/security/validator/CADistrustPolicy.java b/src/share/classes/sun/security/validator/CADistrustPolicy.java new file mode 100644 index 0000000000..b1b59b2015 --- /dev/null +++ b/src/share/classes/sun/security/validator/CADistrustPolicy.java @@ -0,0 +1,105 @@ +/* + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package sun.security.validator; + +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.Security; +import java.security.cert.X509Certificate; +import java.util.EnumSet; + +import sun.security.util.Debug; + +/** + * Policies for distrusting a certificate authority (CA). See the + * jdk.security.caDistrustPolicies security property for more information. + */ +enum CADistrustPolicy { + /** + * Distrust TLS Server certificates anchored by a Symantec root CA and + * issued after April 16, 2019 (with exceptions for a couple of subordinate + * CAs, see the jdk.security.caDistrustPolicies definition in the + * java.security file for more details). If enabled, this policy is + * currently enforced by the PKIX and SunX509 TrustManager implementations + * of the SunJSSE provider implementation. + */ + SYMANTEC_TLS { + void checkDistrust(String variant, X509Certificate[] chain) + throws ValidatorException { + if (!variant.equals(Validator.VAR_TLS_SERVER)) { + return; + } + SymantecTLSPolicy.checkDistrust(chain); + } + }; + + /** + * Checks if the end-entity certificate is distrusted. + * + * @param variant the type of certificate being checked + * @param chain the end-entity's certificate chain. The end entity cert + * is at index 0, the trust anchor at index n-1. + * @throws ValidatorException if the end-entity certificate is distrusted + */ + abstract void checkDistrust(String variant, + X509Certificate[] chain) + throws ValidatorException; + + // The policies set in the jdk.security.caDistrustPolicies property. + static final EnumSet<CADistrustPolicy> POLICIES = parseProperty(); + private static EnumSet<CADistrustPolicy> parseProperty() { + String property = AccessController.doPrivileged( + new PrivilegedAction<String>() { + @Override + public String run() { + return Security.getProperty( + "jdk.security.caDistrustPolicies"); + } + }); + EnumSet<CADistrustPolicy> set = EnumSet.noneOf(CADistrustPolicy.class); + // if property is null or empty, the restrictions are not enforced + if (property == null || property.isEmpty()) { + return set; + } + String[] policies = property.split(","); + for (String policy : policies) { + policy = policy.trim(); + try { + CADistrustPolicy caPolicy = + Enum.valueOf(CADistrustPolicy.class, policy); + set.add(caPolicy); + } catch (IllegalArgumentException iae) { + // ignore unknown values but log it + Debug debug = Debug.getInstance("certpath"); + if (debug != null) { + debug.println("Unknown value for the " + + "jdk.security.caDistrustPolicies property: " + + policy); + } + } + } + return set; + } +} diff --git a/src/share/classes/sun/security/validator/EndEntityChecker.java b/src/share/classes/sun/security/validator/EndEntityChecker.java index 0ecdaa18b5..9e9d3e6293 100644 --- a/src/share/classes/sun/security/validator/EndEntityChecker.java +++ b/src/share/classes/sun/security/validator/EndEntityChecker.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -132,25 +132,26 @@ class EndEntityChecker { return new EndEntityChecker(type, variant); } - void check(X509Certificate cert, Object parameter, - boolean checkUnresolvedCritExts) throws CertificateException { + void check(X509Certificate[] chain, Object parameter, + boolean checkUnresolvedCritExts) + throws CertificateException { if (variant.equals(Validator.VAR_GENERIC)) { return; // no checks } - Set<String> exts = getCriticalExtensions(cert); + Set<String> exts = getCriticalExtensions(chain[0]); if (variant.equals(Validator.VAR_TLS_SERVER)) { - checkTLSServer(cert, (String)parameter, exts); + checkTLSServer(chain[0], (String)parameter, exts); } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { - checkTLSClient(cert, exts); + checkTLSClient(chain[0], exts); } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { - checkCodeSigning(cert, exts); + checkCodeSigning(chain[0], exts); } else if (variant.equals(Validator.VAR_JCE_SIGNING)) { - checkCodeSigning(cert, exts); + checkCodeSigning(chain[0], exts); } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) { - checkCodeSigning(cert, exts); + checkCodeSigning(chain[0], exts); } else if (variant.equals(Validator.VAR_TSA_SERVER)) { - checkTSAServer(cert, exts); + checkTSAServer(chain[0], exts); } else { throw new CertificateException("Unknown variant: " + variant); } @@ -159,6 +160,12 @@ class EndEntityChecker { if (checkUnresolvedCritExts) { checkRemainingExtensions(exts); } + + // check if certificate should be distrusted according to policies + // set in the jdk.security.caDistrustPolicies security property + for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) { + policy.checkDistrust(variant, chain); + } } /** diff --git a/src/share/classes/sun/security/validator/SymantecTLSPolicy.java b/src/share/classes/sun/security/validator/SymantecTLSPolicy.java new file mode 100644 index 0000000000..14eee2bd99 --- /dev/null +++ b/src/share/classes/sun/security/validator/SymantecTLSPolicy.java @@ -0,0 +1,199 @@ +/* + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package sun.security.validator; + +import java.security.cert.X509Certificate; +import java.time.LocalDate; +import java.time.Month; +import java.time.ZoneOffset; +import java.util.Arrays; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +import sun.security.x509.X509CertImpl; + +/** + * This class checks if Symantec issued TLS Server certificates should be + * restricted. + */ +final class SymantecTLSPolicy { + private static final LocalDate DECEMBER_31_2019 = + LocalDate.of(2019, Month.DECEMBER, 31); + // SHA-256 certificate fingerprints of subCAs with later distrust dates + private static final Map<String, LocalDate> EXEMPT_SUBCAS = new HashMap(); + static { + // Subject DN: C=US, O=Apple Inc., OU=Certification Authority, + // CN=Apple IST CA 2 - G1 + // Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US + EXEMPT_SUBCAS.put("AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B", + DECEMBER_31_2019); + + + // Subject DN: C=US, O=Apple Inc., OU=Certification Authority, + // CN=Apple IST CA 8 - G1 + // Issuer DN: CN=GeoTrust Primary Certification Authority - G2, + // OU=(c) 2007 GeoTrust Inc. - For authorized use only, + // O=GeoTrust Inc., C=US + EXEMPT_SUBCAS.put("A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED", + DECEMBER_31_2019); + } + + // SHA-256 certificate fingerprints of distrusted roots + private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList( + // cacerts alias: geotrustglobalca + // DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US + "FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A", + // cacerts alias: geotrustprimaryca + // DN: CN=GeoTrust Primary Certification Authority, + // O=GeoTrust Inc., C=US + "37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C", + // cacerts alias: geotrustprimarycag2 + // DN: CN=GeoTrust Primary Certification Authority - G2, + // OU=(c) 2007 GeoTrust Inc. - For authorized use only, + // O=GeoTrust Inc., C=US + "5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766", + // cacerts alias: geotrustprimarycag3 + // DN: CN=GeoTrust Primary Certification Authority - G3, + // OU=(c) 2008 GeoTrust Inc. - For authorized use only, + // O=GeoTrust Inc., C=US + "B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4", + // cacerts alias: geotrustuniversalca + // DN: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US + "A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912", + // cacerts alias: thawteprimaryrootca + // DN: CN=thawte Primary Root CA, + // OU="(c) 2006 thawte, Inc. - For authorized use only", + // OU=Certification Services Division, O="thawte, Inc.", C=US + "8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F", + // cacerts alias: thawteprimaryrootcag2 + // DN: CN=thawte Primary Root CA - G2, + // OU="(c) 2007 thawte, Inc. - For authorized use only", + // O="thawte, Inc.", C=US + "A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557", + // cacerts alias: thawteprimaryrootcag3 + // DN: CN=thawte Primary Root CA - G3, + // OU="(c) 2008 thawte, Inc. - For authorized use only", + // OU=Certification Services Division, O="thawte, Inc.", C=US + "4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C", + // cacerts alias: thawtepremiumserverca + // DN: EMAILADDRESS=premium-server@thawte.com, + // CN=Thawte Premium Server CA, OU=Certification Services Division, + // O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + "3F9F27D583204B9E09C8A3D2066C4B57D3A2479C3693650880505698105DBCE9", + // cacerts alias: verisignclass2g2ca + // DN: OU=VeriSign Trust Network, + // OU="(c) 1998 VeriSign, Inc. - For authorized use only", + // OU=Class 2 Public Primary Certification Authority - G2, + // O="VeriSign, Inc.", C=US + "3A43E220FE7F3EA9653D1E21742EAC2B75C20FD8980305BC502CAF8C2D9B41A1", + // cacerts alias: verisignclass3ca + // DN: OU=Class 3 Public Primary Certification Authority, + // O="VeriSign, Inc.", C=US + "A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305", + // cacerts alias: verisignclass3g2ca + // DN: OU=VeriSign Trust Network, + // OU="(c) 1998 VeriSign, Inc. - For authorized use only", + // OU=Class 3 Public Primary Certification Authority - G2, + // O="VeriSign, Inc.", C=US + "83CE3C1229688A593D485F81973C0F9195431EDA37CC5E36430E79C7A888638B", + // cacerts alias: verisignclass3g3ca + // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G3, + // OU="(c) 1999 VeriSign, Inc. - For authorized use only", + // OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US + "EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244", + // cacerts alias: verisignclass3g4ca + // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G4, + // OU="(c) 2007 VeriSign, Inc. - For authorized use only", + // OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US + "69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79", + // cacerts alias: verisignclass3g5ca + // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G5, + // OU="(c) 2006 VeriSign, Inc. - For authorized use only", + // OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US + "9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF", + // cacerts alias: verisignuniversalrootca + // DN: CN=VeriSign Universal Root Certification Authority, + // OU="(c) 2008 VeriSign, Inc. - For authorized use only", + // OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US + "2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" + )); + + // Any TLS Server certificate that is anchored by one of the Symantec + // roots above and is issued after this date will be distrusted. + private static final LocalDate APRIL_16_2019 = + LocalDate.of(2019, Month.APRIL, 16); + + /** + * This method assumes the eeCert is a TLS Server Cert and chains back to + * the anchor. + * + * @param chain the end-entity's certificate chain. The end entity cert + * is at index 0, the trust anchor at index n-1. + * @throws ValidatorException if the certificate is distrusted + */ + static void checkDistrust(X509Certificate[] chain) + throws ValidatorException { + X509Certificate anchor = chain[chain.length-1]; + if (FINGERPRINTS.contains(fingerprint(anchor))) { + Date notBefore = chain[0].getNotBefore(); + LocalDate ldNotBefore = notBefore.toInstant().atZone(ZoneOffset.UTC).toLocalDate(); + + // check if chain goes through one of the subCAs + if (chain.length > 2) { + X509Certificate subCA = chain[chain.length - 2]; + LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA)); + if (distrustDate != null) { + // reject if certificate is issued after specified date + checkNotBefore(ldNotBefore, distrustDate, anchor); + return; // success + } + } + // reject if certificate is issued after April 16, 2019 + checkNotBefore(ldNotBefore, APRIL_16_2019, anchor); + } + } + + private static String fingerprint(X509Certificate cert) { + return (cert instanceof X509CertImpl) + ? ((X509CertImpl)cert).getFingerprint("SHA-256") + : X509CertImpl.getFingerprint("SHA-256", cert); + } + + private static void checkNotBefore(LocalDate notBeforeDate, + LocalDate distrustDate, X509Certificate anchor) + throws ValidatorException { + if (notBeforeDate.isAfter(distrustDate)) { + throw new ValidatorException + ("TLS Server certificate issued after " + distrustDate + + " and anchored by a distrusted legacy Symantec root CA: " + + anchor.getSubjectX500Principal(), + ValidatorException.T_UNTRUSTED_CERT, anchor); + } + } + private SymantecTLSPolicy() {} +} diff --git a/src/share/classes/sun/security/validator/Validator.java b/src/share/classes/sun/security/validator/Validator.java index dd880a7b2d..c96454d1ab 100644 --- a/src/share/classes/sun/security/validator/Validator.java +++ b/src/share/classes/sun/security/validator/Validator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -271,7 +271,7 @@ public abstract class Validator { // redundant. boolean checkUnresolvedCritExts = (type == TYPE_PKIX) ? false : true; - endEntityChecker.check(chain[0], parameter, + endEntityChecker.check(chain, parameter, checkUnresolvedCritExts); } diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix index 13abdd6c49..e2c0ff9b3e 100644 --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -975,3 +975,33 @@ jdk.xml.dsig.secureValidationPolicy=\ # and javax.crypto.spec.SecretKeySpec and rejects all the others. jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\ java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!* + +# +# Policies for distrusting Certificate Authorities (CAs). +# +# This is a comma separated value of one or more case-sensitive strings, each +# of which represents a policy for determining if a CA should be distrusted. +# The supported values are: +# +# +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. +# Leading and trailing whitespace surrounding each value are ignored. +# Unknown values are ignored. If the property is commented out or set to the +# empty String, no policies are enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be supported by other SE implementations. Also, this +# property does not override other security properties which can restrict +# certificates such as jdk.tls.disabledAlgorithms or +# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even +# if this property is not enabled. +# +jdk.security.caDistrustPolicies=SYMANTEC_TLS diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index c730d500cf..2f33b1acbc 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -981,3 +981,33 @@ jdk.xml.dsig.secureValidationPolicy=\ # and javax.crypto.spec.SecretKeySpec and rejects all the others. jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\ java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!* + +# +# Policies for distrusting Certificate Authorities (CAs). +# +# This is a comma separated value of one or more case-sensitive strings, each +# of which represents a policy for determining if a CA should be distrusted. +# The supported values are: +# +# +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. +# Leading and trailing whitespace surrounding each value are ignored. +# Unknown values are ignored. If the property is commented out or set to the +# empty String, no policies are enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be supported by other SE implementations. Also, this +# property does not override other security properties which can restrict +# certificates such as jdk.tls.disabledAlgorithms or +# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even +# if this property is not enabled. +# +jdk.security.caDistrustPolicies=SYMANTEC_TLS diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 2ac463791b..277c3356d3 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -979,3 +979,33 @@ jdk.xml.dsig.secureValidationPolicy=\ # and javax.crypto.spec.SecretKeySpec and rejects all the others. jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\ java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!* + +# +# Policies for distrusting Certificate Authorities (CAs). +# +# This is a comma separated value of one or more case-sensitive strings, each +# of which represents a policy for determining if a CA should be distrusted. +# The supported values are: +# +# +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. +# Leading and trailing whitespace surrounding each value are ignored. +# Unknown values are ignored. If the property is commented out or set to the +# empty String, no policies are enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be supported by other SE implementations. Also, this +# property does not override other security properties which can restrict +# certificates such as jdk.tls.disabledAlgorithms or +# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even +# if this property is not enabled. +# +jdk.security.caDistrustPolicies=SYMANTEC_TLS diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index a5c4d86596..27ce9669e7 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -978,3 +978,33 @@ jdk.xml.dsig.secureValidationPolicy=\ # and javax.crypto.spec.SecretKeySpec and rejects all the others. jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\ java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!* + +# +# Policies for distrusting Certificate Authorities (CAs). +# +# This is a comma separated value of one or more case-sensitive strings, each +# of which represents a policy for determining if a CA should be distrusted. +# The supported values are: +# +# +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. +# Leading and trailing whitespace surrounding each value are ignored. +# Unknown values are ignored. If the property is commented out or set to the +# empty String, no policies are enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be supported by other SE implementations. Also, this +# property does not override other security properties which can restrict +# certificates such as jdk.tls.disabledAlgorithms or +# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even +# if this property is not enabled. +# +jdk.security.caDistrustPolicies=SYMANTEC_TLS diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index a0ce655dcc..58aad3a1d8 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -979,3 +979,33 @@ jdk.xml.dsig.secureValidationPolicy=\ # and javax.crypto.spec.SecretKeySpec and rejects all the others. jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\ java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!* + +# +# Policies for distrusting Certificate Authorities (CAs). +# +# This is a comma separated value of one or more case-sensitive strings, each +# of which represents a policy for determining if a CA should be distrusted. +# The supported values are: +# +# +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. +# Leading and trailing whitespace surrounding each value are ignored. +# Unknown values are ignored. If the property is commented out or set to the +# empty String, no policies are enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be supported by other SE implementations. Also, this +# property does not override other security properties which can restrict +# certificates such as jdk.tls.disabledAlgorithms or +# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even +# if this property is not enabled. +# +jdk.security.caDistrustPolicies=SYMANTEC_TLS |