< prev index next >
src/java.base/share/conf/security/java.security
Print this page
*** 497,513 ****
# BNF-style:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
! # AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
! # KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator DecimalInteger
#
# Operator:
--- 497,513 ----
# BNF-style:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
! # AlgorithmName [Constraint] { '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
! # KeySizeConstraint | CertConstraint
#
# KeySizeConstraint:
# keySize Operator DecimalInteger
#
# Operator:
*** 520,529 ****
--- 520,532 ----
# DecimalDigit {DecimalDigit}
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
#
+ # CertConstraint
+ # jdkCA
+ #
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
# Documentation" for information about Standard Algorithm Names. Matching
# is performed using a case-insensitive sub-element matching rule. (For
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
*** 542,551 ****
--- 545,576 ----
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
+ # "CertConstraint" specifies additional constraints for
+ # certificates that contain algorithms that are restricted:
+ #
+ # "jdkCA" prohibits the algorithm only if it is used in a
+ # certificate chain that terminates at a marked trust anchor in the
+ # lib/security/cacerts keystore. All other chains are not affected.
+ # If the jdkCA constraint is not set, then all chains using the
+ # specified algorithm are restricted.
+ # Example: To apply this constraint to SHA-1 certificates, include
+ # the following: "SHA1 jdkCA"
+ #
+ # When an algorithm must satisfy more than one constraint, it must be
+ # delimited by an ampersand '&'. For example, to restrict certificates in a
+ # chain that terminate at a distribution provided trust anchor and contain
+ # RSA keys that are less than or equal to 1024 bits, add the following
+ # constraint: "RSA keySize <= 1024 & jdkCA".
+ #
+ # All DisabledAlgorithms expressions are processed in the order defined in the
+ # property. This requires lower keysize constraints to be specified
+ # before larger keysize constraints of the same algorithm. For example:
+ # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
+ #
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
< prev index next >