JDK-8352288 : java.security documentation: incorrect regex syntax describing "usage" algorithm constraint
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 25
  • Submitted: 2025-03-18
  • Updated: 2025-03-24
  • Resolved: 2025-03-24
Related Reports
CSR :  
JDK-8352277 - java.security documentation: incorrect regex syntax describing "usage" algorithm constraint
Description
Summary
-------
Incorrect regex syntax is used when describing the jdk.certpath.disabledAlgorithm property's UsageConstraint in the java.security file. It indicates that usage types are optional when at least one usage type must be specified.

Problem
-------
Current syntax indicates that usage types are optional:

       UsageConstraint:
         usage [TLSServer] [TLSClient] [SignedJAR]

This is incorrect as at least one usage type must be specified.

Solution
--------
Replace the current text with the proper regex syntax.

Specification
-------------

       --- a/src/java.base/share/conf/security/java.security
       +++ b/src/java.base/share/conf/security/java.security
       @@ -535,7 +535,10 @@ sun.security.krb5.maxReferrals=5
        #       denyAfter YYYY-MM-DD
        #
        #   UsageConstraint:
       -#       usage [TLSServer] [TLSClient] [SignedJAR]
       +#       usage UsageType { UsageType }
       +#
       +#   UsageType:
       +#       ([TLSServer] | [TLSClient] | [SignedJAR])
        #
        #   IncludeProperty:
        #       include <security property>
       @@ -598,9 +601,9 @@ sun.security.krb5.maxReferrals=5
        #       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
        #
        #   UsageConstraint:
       -#     usage [TLSServer] [TLSClient] [SignedJAR]
       +#     usage UsageType { UsageType }
        #       This constraint prohibits the specified algorithm for
       -#       a specified usage.  This should be used when disabling an algorithm
       +#       a specified UsageType. This should be used when disabling an algorithm
Comments
Thanks [~darcy]! Duplicate usage types are allowed so it's acceptable.
24-03-2025
Moving to Provisional, not Approved. One minor note: as written the regex would accept inputs like usage TLSServer TLSServer TLSServer TLSServer If that is acceptable here, please re-Finalize. Other portions of the java.security file state constraints like "The aspects can appear in any order but the same aspect can only appear at most once." If such a constraint is appropriate here too, please update and re-Finalize. Thanks.
24-03-2025