Mercurial > hg > icedtea8-forest > jdk
changeset 14645:1affb3bb2b3c
8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one
Reviewed-by: mullan, andrew
| author | mbalao |
|---|---|
| date | Thu, 02 Apr 2020 18:18:23 -0300 |
| parents | 160797b3c05b |
| children | 2f117c583973 |
| files | src/share/classes/sun/security/validator/PKIXValidator.java src/share/lib/security/java.security-aix src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows |
| diffstat | 6 files changed, 77 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/validator/PKIXValidator.java Wed Jul 29 05:41:51 2020 +0100 +++ b/src/share/classes/sun/security/validator/PKIXValidator.java Thu Apr 02 18:18:23 2020 -0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,9 +32,9 @@ import javax.security.auth.x500.X500Principal; import sun.security.action.GetBooleanAction; -import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.provider.certpath.PKIXExtendedParameters; +import sun.security.util.SecurityProperties; /** * Validator implementation built on the PKIX CertPath API. This @@ -66,14 +66,14 @@ private final static boolean TRY_VALIDATOR = true; /** - * System property that if set (or set to "true"), allows trust anchor - * certificates to be used if they do not have the proper CA extensions. - * Set to false if prop is not set, or set to any other value. + * System or security property that if set (or set to "true"), allows trust + * anchor certificates to be used if they do not have the proper CA + * extensions. Set to false if prop is not set, or set to any other value. */ private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor(); private static boolean allowNonCaAnchor() { - String prop = GetPropertyAction - .privilegedGetProperty("jdk.security.allowNonCaAnchor"); + String prop = SecurityProperties + .privilegedGetOverridable("jdk.security.allowNonCaAnchor"); return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true")); }
--- a/src/share/lib/security/java.security-aix Wed Jul 29 05:41:51 2020 +0100 +++ b/src/share/lib/security/java.security-aix Thu Apr 02 18:18:23 2020 -0300 @@ -1093,4 +1093,17 @@ # If a system property of the same name is also specified, it supersedes the # security property value defined here. # -#jdk.security.krb5.default.initiate.credential=always-impersonate \ No newline at end of file +#jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true \ No newline at end of file
--- a/src/share/lib/security/java.security-linux Wed Jul 29 05:41:51 2020 +0100 +++ b/src/share/lib/security/java.security-linux Thu Apr 02 18:18:23 2020 -0300 @@ -1099,4 +1099,17 @@ # If a system property of the same name is also specified, it supersedes the # security property value defined here. # -#jdk.security.krb5.default.initiate.credential=always-impersonate \ No newline at end of file +#jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true \ No newline at end of file
--- a/src/share/lib/security/java.security-macosx Wed Jul 29 05:41:51 2020 +0100 +++ b/src/share/lib/security/java.security-macosx Thu Apr 02 18:18:23 2020 -0300 @@ -1097,4 +1097,17 @@ # If a system property of the same name is also specified, it supersedes the # security property value defined here. # -#jdk.security.krb5.default.initiate.credential=always-impersonate \ No newline at end of file +#jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true \ No newline at end of file
--- a/src/share/lib/security/java.security-solaris Wed Jul 29 05:41:51 2020 +0100 +++ b/src/share/lib/security/java.security-solaris Thu Apr 02 18:18:23 2020 -0300 @@ -1095,4 +1095,17 @@ # If a system property of the same name is also specified, it supersedes the # security property value defined here. # -#jdk.security.krb5.default.initiate.credential=always-impersonate \ No newline at end of file +#jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true \ No newline at end of file
--- a/src/share/lib/security/java.security-windows Wed Jul 29 05:41:51 2020 +0100 +++ b/src/share/lib/security/java.security-windows Thu Apr 02 18:18:23 2020 -0300 @@ -1097,4 +1097,17 @@ # If a system property of the same name is also specified, it supersedes the # security property value defined here. # -#jdk.security.krb5.default.initiate.credential=always-impersonate \ No newline at end of file +#jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true \ No newline at end of file