JDK-8171464 : Release Note: Add mechanism to allow non default root CAs to not be subject to algorithm restrictions
- Type: Sub-task
- Component: security-libs
- Affected Version: 6u141,7u131,8u121,9
- Priority: P4
- Status: Closed
- Resolution: Delivered
- Submitted: 2016-12-19
- Updated: 2022-06-14
- Resolved: 2017-03-08
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 6 | JDK 7 | JDK 8 |
|---|---|---|
| 6u141Resolved | 7u131Resolved | 8u121Resolved  |
Description
'**New certpath constraint: jdkCA** In the `java.security` file, an additional constraint named "jdkCA" is added to the `jdk.certpath.disabledAlgorithms` property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression. Example: To apply this constraint to SHA-1 certificates, include the following: ```SHA1 jdkCA```