# HG changeset patch # User igerasim # Date 1476986898 -10800 # Thu Oct 20 21:08:18 2016 +0300 # Node ID f25036d01a7bf4bbe7d497974313f653e70c00ce # Parent b22e56f1dc736abc1c879fd2c1b3944f26890c8e [mq]: 8167591-Add-MD5-to-signed-JAR-restrictions diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -483,6 +483,43 @@ # jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 +# Algorithm restrictions for signed JAR files +# +# In some environments, certain algorithms or key lengths may be undesirable +# for signed JAR validation. For example, "MD2" is generally no longer +# considered to be a secure hash algorithm. This section describes the +# mechanism for disabling algorithms based on algorithm name and/or key length. +# JARs signed with any of the disabled algorithms or key sizes will be treated +# as unsigned. +# +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. +# +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 + # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing # @@ -624,40 +661,3 @@ # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ # FFFFFFFF FFFFFFFF, 2} - -# Algorithm restrictions for signed JAR files -# -# In some environments, certain algorithms or key lengths may be undesirable -# for signed JAR validation. For example, "MD2" is generally no longer -# considered to be a secure hash algorithm. This section describes the -# mechanism for disabling algorithms based on algorithm name and/or key length. -# JARs signed with any of the disabled algorithms or key sizes will be treated -# as unsigned. -# -# The syntax of the disabled algorithm string is described as follows: -# DisabledAlgorithms: -# " DisabledAlgorithm { , DisabledAlgorithm } " -# -# DisabledAlgorithm: -# AlgorithmName [Constraint] -# -# AlgorithmName: -# (see below) -# -# Constraint: -# KeySizeConstraint -# -# KeySizeConstraint: -# keySize Operator KeyLength -# -# Operator: -# <= | < | == | != | >= | > -# -# KeyLength: -# Integer value of the algorithm's key length in bits -# -# Note: This property is currently used by the JDK Reference -# implementation. It is not guaranteed to be examined and used by other -# implementations. -# -jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -483,6 +483,43 @@ # jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 +# Algorithm restrictions for signed JAR files +# +# In some environments, certain algorithms or key lengths may be undesirable +# for signed JAR validation. For example, "MD2" is generally no longer +# considered to be a secure hash algorithm. This section describes the +# mechanism for disabling algorithms based on algorithm name and/or key length. +# JARs signed with any of the disabled algorithms or key sizes will be treated +# as unsigned. +# +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. +# +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 + # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing # @@ -624,40 +661,3 @@ # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ # FFFFFFFF FFFFFFFF, 2} - -# Algorithm restrictions for signed JAR files -# -# In some environments, certain algorithms or key lengths may be undesirable -# for signed JAR validation. For example, "MD2" is generally no longer -# considered to be a secure hash algorithm. This section describes the -# mechanism for disabling algorithms based on algorithm name and/or key length. -# JARs signed with any of the disabled algorithms or key sizes will be treated -# as unsigned. -# -# The syntax of the disabled algorithm string is described as follows: -# DisabledAlgorithms: -# " DisabledAlgorithm { , DisabledAlgorithm } " -# -# DisabledAlgorithm: -# AlgorithmName [Constraint] -# -# AlgorithmName: -# (see below) -# -# Constraint: -# KeySizeConstraint -# -# KeySizeConstraint: -# keySize Operator KeyLength -# -# Operator: -# <= | < | == | != | >= | > -# -# KeyLength: -# Integer value of the algorithm's key length in bits -# -# Note: This property is currently used by the JDK Reference -# implementation. It is not guaranteed to be examined and used by other -# implementations. -# -jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -486,6 +486,43 @@ # jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 +# Algorithm restrictions for signed JAR files +# +# In some environments, certain algorithms or key lengths may be undesirable +# for signed JAR validation. For example, "MD2" is generally no longer +# considered to be a secure hash algorithm. This section describes the +# mechanism for disabling algorithms based on algorithm name and/or key length. +# JARs signed with any of the disabled algorithms or key sizes will be treated +# as unsigned. +# +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. +# +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 + # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing # @@ -627,40 +664,3 @@ # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ # FFFFFFFF FFFFFFFF, 2} - -# Algorithm restrictions for signed JAR files -# -# In some environments, certain algorithms or key lengths may be undesirable -# for signed JAR validation. For example, "MD2" is generally no longer -# considered to be a secure hash algorithm. This section describes the -# mechanism for disabling algorithms based on algorithm name and/or key length. -# JARs signed with any of the disabled algorithms or key sizes will be treated -# as unsigned. -# -# The syntax of the disabled algorithm string is described as follows: -# DisabledAlgorithms: -# " DisabledAlgorithm { , DisabledAlgorithm } " -# -# DisabledAlgorithm: -# AlgorithmName [Constraint] -# -# AlgorithmName: -# (see below) -# -# Constraint: -# KeySizeConstraint -# -# KeySizeConstraint: -# keySize Operator KeyLength -# -# Operator: -# <= | < | == | != | >= | > -# -# KeyLength: -# Integer value of the algorithm's key length in bits -# -# Note: This property is currently used by the JDK Reference -# implementation. It is not guaranteed to be examined and used by other -# implementations. -# -jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -485,6 +485,43 @@ # jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 +# Algorithm restrictions for signed JAR files +# +# In some environments, certain algorithms or key lengths may be undesirable +# for signed JAR validation. For example, "MD2" is generally no longer +# considered to be a secure hash algorithm. This section describes the +# mechanism for disabling algorithms based on algorithm name and/or key length. +# JARs signed with any of the disabled algorithms or key sizes will be treated +# as unsigned. +# +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. +# +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 + # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing # @@ -626,40 +663,3 @@ # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ # FFFFFFFF FFFFFFFF, 2} - -# Algorithm restrictions for signed JAR files -# -# In some environments, certain algorithms or key lengths may be undesirable -# for signed JAR validation. For example, "MD2" is generally no longer -# considered to be a secure hash algorithm. This section describes the -# mechanism for disabling algorithms based on algorithm name and/or key length. -# JARs signed with any of the disabled algorithms or key sizes will be treated -# as unsigned. -# -# The syntax of the disabled algorithm string is described as follows: -# DisabledAlgorithms: -# " DisabledAlgorithm { , DisabledAlgorithm } " -# -# DisabledAlgorithm: -# AlgorithmName [Constraint] -# -# AlgorithmName: -# (see below) -# -# Constraint: -# KeySizeConstraint -# -# KeySizeConstraint: -# keySize Operator KeyLength -# -# Operator: -# <= | < | == | != | >= | > -# -# KeyLength: -# Integer value of the algorithm's key length in bits -# -# Note: This property is currently used by the JDK Reference -# implementation. It is not guaranteed to be examined and used by other -# implementations. -# -jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -486,6 +486,43 @@ # jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 +# Algorithm restrictions for signed JAR files +# +# In some environments, certain algorithms or key lengths may be undesirable +# for signed JAR validation. For example, "MD2" is generally no longer +# considered to be a secure hash algorithm. This section describes the +# mechanism for disabling algorithms based on algorithm name and/or key length. +# JARs signed with any of the disabled algorithms or key sizes will be treated +# as unsigned. +# +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. +# +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 + # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing # @@ -627,40 +664,3 @@ # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ # FFFFFFFF FFFFFFFF, 2} - -# Algorithm restrictions for signed JAR files -# -# In some environments, certain algorithms or key lengths may be undesirable -# for signed JAR validation. For example, "MD2" is generally no longer -# considered to be a secure hash algorithm. This section describes the -# mechanism for disabling algorithms based on algorithm name and/or key length. -# JARs signed with any of the disabled algorithms or key sizes will be treated -# as unsigned. -# -# The syntax of the disabled algorithm string is described as follows: -# DisabledAlgorithms: -# " DisabledAlgorithm { , DisabledAlgorithm } " -# -# DisabledAlgorithm: -# AlgorithmName [Constraint] -# -# AlgorithmName: -# (see below) -# -# Constraint: -# KeySizeConstraint -# -# KeySizeConstraint: -# keySize Operator KeyLength -# -# Operator: -# <= | < | == | != | >= | > -# -# KeyLength: -# Integer value of the algorithm's key length in bits -# -# Note: This property is currently used by the JDK Reference -# implementation. It is not guaranteed to be examined and used by other -# implementations. -# -jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024