Mercurial Mercurial > jdk-sandbox / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
jdk/src/java.base/share/conf/security/java.security
changeset 37726 bbecfff95ec3
parent 37373 3414aeff4a80
child 37796 256c45c4af5d
equal deleted inserted replaced
37725:04ee31f1c2a9 37726:bbecfff95ec3 
   495 # BNF-style:
 
   495 # BNF-style:
 
   496 #   DisabledAlgorithms:
 
   496 #   DisabledAlgorithms:
 
   497 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 
   497 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 
   498 #
 
   498 #
 
   499 #   DisabledAlgorithm:
 
   499 #   DisabledAlgorithm:
 
   500 #       AlgorithmName [Constraint]
 
   500 #       AlgorithmName [Constraint] { '&' Constraint }
 
   501 #
 
   501 #
 
   502 #   AlgorithmName:
 
   502 #   AlgorithmName:
 
   503 #       (see below)
 
   503 #       (see below)
 
   504 #
 
   504 #
 
   505 #   Constraint:
 
   505 #   Constraint:
 
   506 #       KeySizeConstraint
 
   506 #       KeySizeConstraint, CertConstraint
 
   507 #
 
   507 #
 
   508 #   KeySizeConstraint:
 
   508 #   KeySizeConstraint:
 
   509 #       keySize Operator DecimalInteger
 
   509 #       keySize Operator DecimalInteger
 
   510 #
 
   510 #
 
   511 #   Operator:
 
   511 #   Operator:
 
   517 #   DecimalDigits:
 
   517 #   DecimalDigits:
 
   518 #       DecimalDigit {DecimalDigit}
 
   518 #       DecimalDigit {DecimalDigit}
 
   519 #
 
   519 #
 
   520 #   DecimalDigit: one of
 
   520 #   DecimalDigit: one of
 
   521 #       1 2 3 4 5 6 7 8 9 0
 
   521 #       1 2 3 4 5 6 7 8 9 0
 
       
   522 #
 
       
   523 #   CertConstraint
 
       
   524 #       jdkCA
 
   522 #
 
   525 #
 
   523 # The "AlgorithmName" is the standard algorithm name of the disabled
 
   526 # The "AlgorithmName" is the standard algorithm name of the disabled
 
   524 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 
   527 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 
   525 # Documentation" for information about Standard Algorithm Names.  Matching
 
   528 # Documentation" for information about Standard Algorithm Names.  Matching
 
   526 # is performed using a case-insensitive sub-element matching rule.  (For
 
   529 # is performed using a case-insensitive sub-element matching rule.  (For
 
   540 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 
   543 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
 
   541 # that any RSA key with key size less than 1024 or greater than 2048 should
 
   544 # that any RSA key with key size less than 1024 or greater than 2048 should
 
   542 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 
   545 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
 
   543 # algorithms.
 
   546 # algorithms.
 
   544 #
 
   547 #
 
       
   548 # "CertConstraint" specifies additional constraints for
 
       
   549 # certificates that contain algorithms that are restricted:
 
       
   550 #
 
       
   551 #   "jdkCA" prohibits the specified algorithm only if the algorithm is used
 
       
   552 #     in a certificate chain that terminates at a marked trust anchor in the
 
       
   553 #     lib/security/cacerts keystore.  All other chains are not affected.
 
       
   554 #     If the jdkCA constraint is not set, then all chains using the
 
       
   555 #     specified algorithm are restricted.  jdkCA may only be used once in
 
       
   556 #     a DisabledAlgorithm expression.
 
       
   557 #     Example:  To apply this constraint to SHA-1 certificates, include
 
       
   558 #     the following:  "SHA1 jdkCA"
 
       
   559 #
 
       
   560 # When an algorithm must satisfy more than one constraint, it must be
 
       
   561 # delimited by an ampersand '&'.  For example, to restrict certificates in a
 
       
   562 # chain that terminate at a distribution provided trust anchor and contain
 
       
   563 # RSA keys that are less than or equal to 1024 bits, add the following
 
       
   564 # constraint:  "RSA keySize <= 1024 & jdkCA".
 
       
   565 #
 
       
   566 # All DisabledAlgorithms expressions are processed in the order defined in the
 
       
   567 # property.  This requires lower keysize constraints to be specified
 
       
   568 # before larger keysize constraints of the same algorithm.  For example:
 
       
   569 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
 
       
   570 #
 
   545 # Note: This property is currently used by Oracle's PKIX implementation. It
 
   571 # Note: This property is currently used by Oracle's PKIX implementation. It
 
   546 # is not guaranteed to be examined and used by other implementations.
 
   572 # is not guaranteed to be examined and used by other implementations.
 
   547 #
 
   573 #
 
   548 # Example:
 
   574 # Example:
 
   549 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 
   575 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
jdk-sandbox