Bug ID: JDK-8170706 Support algorithm constraints in SunX509 key manager

JDK-8170706 : Support algorithm constraints in SunX509 key manager

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P4
Status: Open
Resolution: Unresolved

Submitted: 2016-12-04
Updated: 2025-05-15

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
tbdUnresolved

Related Reports

Relates :	JDK-8272875 - Change the default key manager to PKIX
Relates :	JDK-8353113 - Peer supported certificate signature algorithms are not being checked with default SunX509 key manager

Description

The algorithm constraints are support in PKIX key manager, however SunX509 key manager does not support it yet.  As SunX09 is the default key manager, for default safe, we may want to make more evaluation whether it is possible to support algorithm constraints in SunX509 key manager, too. 

If a key manager does not supported algorithm constraints, there may be interop issue because one side cannot select the right cert while the other cert will reject weak cert because of algorithm constraints.

Comments

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/25016 Date: 2025-05-02 22:48:56 +0000

15-05-2025

Still an issue. If/when we fix JDK-8272875 (make PKIX default KeyManager), this could probably be closed as Will Not Fix.

26-01-2022