958 # It is not guaranteed to be examined and used by other implementations.
959 #
960 #com.sun.CORBA.ORBIorTypeCheckRegistryFilter=binary_class_name;binary_class_name
961
962 #
963 # JCEKS Encrypted Key Serial Filter
964 #
965 # This filter, if configured, is used by the JCEKS KeyStore during the
966 # deserialization of the encrypted Key object stored inside a key entry.
967 # If not configured or the filter result is UNDECIDED (i.e. none of the patterns
968 # matches), the filter configured by jdk.serialFilter will be consulted.
969 #
970 # If the system property jceks.key.serialFilter is also specified, it supersedes
971 # the security property value defined here.
972 #
973 # The filter pattern uses the same format as jdk.serialFilter. The default
974 # pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
975 # and javax.crypto.spec.SecretKeySpec and rejects all the others.
976 jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
977 java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
|
958 # It is not guaranteed to be examined and used by other implementations.
959 #
960 #com.sun.CORBA.ORBIorTypeCheckRegistryFilter=binary_class_name;binary_class_name
961
962 #
963 # JCEKS Encrypted Key Serial Filter
964 #
965 # This filter, if configured, is used by the JCEKS KeyStore during the
966 # deserialization of the encrypted Key object stored inside a key entry.
967 # If not configured or the filter result is UNDECIDED (i.e. none of the patterns
968 # matches), the filter configured by jdk.serialFilter will be consulted.
969 #
970 # If the system property jceks.key.serialFilter is also specified, it supersedes
971 # the security property value defined here.
972 #
973 # The filter pattern uses the same format as jdk.serialFilter. The default
974 # pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
975 # and javax.crypto.spec.SecretKeySpec and rejects all the others.
976 jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
977 java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
978
979 #
980 # Policies for distrusting Certificate Authorities (CAs).
981 #
982 # This is a comma separated value of one or more case-sensitive strings, each
983 # of which represents a policy for determining if a CA should be distrusted.
984 # The supported values are:
985 #
986 #
987 # SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec
988 # root CA and issued after April 16, 2019 unless issued by one of the
989 # following subordinate CAs which have a later distrust date:
990 # 1. Apple IST CA 2 - G1, SHA-256 fingerprint:
991 # AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B
992 # Distrust after December 31, 2019.
993 # 2. Apple IST CA 8 - G1, SHA-256 fingerprint:
994 # A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
995 # Distrust after December 31, 2019.
996 # Leading and trailing whitespace surrounding each value are ignored.
997 # Unknown values are ignored. If the property is commented out or set to the
998 # empty String, no policies are enforced.
999 #
1000 # Note: This property is currently used by the JDK Reference implementation.
1001 # It is not guaranteed to be supported by other SE implementations. Also, this
1002 # property does not override other security properties which can restrict
1003 # certificates such as jdk.tls.disabledAlgorithms or
1004 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
1005 # if this property is not enabled.
1006 #
1007 jdk.security.caDistrustPolicies=SYMANTEC_TLS
|