archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-27 23:04:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one

Browse source 
Reviewed-by: mullan
This commit is contained in:
Martin Balao 2020-04-02 18:18:23 -03:00
parent 1cca0e48e0
commit 1c651455a7
2 changed files with 20 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/java.base/share/classes/sun/security/validator/PKIXValidator.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -32,9 +32,9 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction; import sun.security.action.GetBooleanAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker; import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters; import sun.security.provider.certpath.PKIXExtendedParameters;
import sun.security.util.SecurityProperties;
/** /**
* Validator implementation built on the PKIX CertPath API. This * Validator implementation built on the PKIX CertPath API. This
@ -62,14 +62,14 @@ public final class PKIXValidator extends Validator {
.privilegedGetProperty("com.sun.net.ssl.checkRevocation"); .privilegedGetProperty("com.sun.net.ssl.checkRevocation");
/** /**
* System property that if set (or set to "true"), allows trust anchor * System or security property that if set (or set to "true"), allows trust
* certificates to be used if they do not have the proper CA extensions. * anchor certificates to be used if they do not have the proper CA
* Set to false if prop is not set, or set to any other value. * extensions. Set to false if prop is not set, or set to any other value.
*/ */
private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor(); private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor();
private static boolean allowNonCaAnchor() { private static boolean allowNonCaAnchor() {
String prop = GetPropertyAction String prop = SecurityProperties
.privilegedGetProperty("jdk.security.allowNonCaAnchor"); .privilegedGetOverridable("jdk.security.allowNonCaAnchor");
return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true")); return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true"));
} }

13
src/java.base/share/conf/security/java.security
View file

@ -1301,3 +1301,16 @@ jdk.io.permissionsUseCanonicalPath=false
# security property value defined here. # security property value defined here.
# #
#jdk.security.krb5.default.initiate.credential=always-impersonate #jdk.security.krb5.default.initiate.credential=always-impersonate
#
# Trust Anchor Certificates - CA Basic Constraint check
#
# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS
# connections) must have the cA Basic Constraint field set to 'true'. Also, if
# they include a Key Usage extension, the keyCertSign bit must be set. These
# checks, enabled by default, can be disabled for backward-compatibility
# purposes with the jdk.security.allowNonCaAnchor System and Security
# properties. In the case that both properties are simultaneously set, the
# System value prevails. The default value of the property is "false".
#
#jdk.security.allowNonCaAnchor=true