JDK-8153777 : Implement "denyAfter" constraint
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-04-07
  • Updated: 2016-05-27
  • Resolved: 2016-05-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9Fixed
Related Reports
Relates :  
JDK-8154005 - Add algorithm constraint that specifies the restriction date
Description
This dev task involves implementing the "denyAfter" constraint (JDK-8154005) and items #2, #3, and #5 in the "Disable SHA-1 Certificates" JEP: http://openjdk.java.net/jeps/8149555

It also includes getting CCC approval for the new constraint.


Problem:
Continuing the CertPath validations work started in 8140422, when algorithms are being phased out, a standards body sets a end date the industry to stop using it.  However, not everyone may be able to comply by that end date, an company may want to set it's own internal dates, or the date maybe moved by the standards body.  Having flexibility for this end date is important.

Solution:
Establishing a date constraint for when a DisabledAlgorithm constraint denies access allows flexibility to everyone.  The constraint can be added as a condition to any DisabledAlgorithm constraint.  The constraint is called "denyAfter".  It will be followed by a date in the format of YYYYMMDD.  The date will represent the machine's local time when the constraint will start being denied.  For example:  SHA1 jdkCA & denyAfter 20170101