This dev subtask involves implementing the jdkCA constraint (JDK-8140422). It also includes getting CCC approval.


Problem
With the increasing chances of collisions with SHA1-signed certificates, we need better control of a certificate's chain of trust without disabling private CA-signed or self-signed certificates that an enterprise may depend on. Enterprises typically take longer to conform to algorithm restrictions. Today, the algorithm checking for CertPath is too coarse, it is either enabled or disabled.
 
Solution
Add a new constraint for the restricted algorithms in a certificate chain if the trust anchor is a public CA in the cacerts keystore. This allows to disable most CertPath validation and builder operations while still allowing private CA trust anchors or self-signed certs to operate in a private/enterprise environment. This significantly reduces the compatibility risk for certificate algorithms such as SHA-1 that have been heavily deployed in enterprises, and allows us to disable it in a phased approach.
 
The option can be used on the jdk.certpath.disabledAlgorithms security property. The keyword is "jdkCA".  To disable SHA1 for the new constraint, the property option would look like "SHA1 jdkCA".
 
Also, the syntax has been extended with an '&' keyword to allow multiple constraints to be specified for each algorithm.