495 # BNF-style: |
495 # BNF-style: |
496 # DisabledAlgorithms: |
496 # DisabledAlgorithms: |
497 # " DisabledAlgorithm { , DisabledAlgorithm } " |
497 # " DisabledAlgorithm { , DisabledAlgorithm } " |
498 # |
498 # |
499 # DisabledAlgorithm: |
499 # DisabledAlgorithm: |
500 # AlgorithmName [Constraint] |
500 # AlgorithmName [Constraint] { '&' Constraint } |
501 # |
501 # |
502 # AlgorithmName: |
502 # AlgorithmName: |
503 # (see below) |
503 # (see below) |
504 # |
504 # |
505 # Constraint: |
505 # Constraint: |
506 # KeySizeConstraint |
506 # KeySizeConstraint, CertConstraint |
507 # |
507 # |
508 # KeySizeConstraint: |
508 # KeySizeConstraint: |
509 # keySize Operator DecimalInteger |
509 # keySize Operator DecimalInteger |
510 # |
510 # |
511 # Operator: |
511 # Operator: |
517 # DecimalDigits: |
517 # DecimalDigits: |
518 # DecimalDigit {DecimalDigit} |
518 # DecimalDigit {DecimalDigit} |
519 # |
519 # |
520 # DecimalDigit: one of |
520 # DecimalDigit: one of |
521 # 1 2 3 4 5 6 7 8 9 0 |
521 # 1 2 3 4 5 6 7 8 9 0 |
|
522 # |
|
523 # CertConstraint |
|
524 # jdkCA |
522 # |
525 # |
523 # The "AlgorithmName" is the standard algorithm name of the disabled |
526 # The "AlgorithmName" is the standard algorithm name of the disabled |
524 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name |
527 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name |
525 # Documentation" for information about Standard Algorithm Names. Matching |
528 # Documentation" for information about Standard Algorithm Names. Matching |
526 # is performed using a case-insensitive sub-element matching rule. (For |
529 # is performed using a case-insensitive sub-element matching rule. (For |
540 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates |
543 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates |
541 # that any RSA key with key size less than 1024 or greater than 2048 should |
544 # that any RSA key with key size less than 1024 or greater than 2048 should |
542 # be disabled. Note that the "KeySizeConstraint" only makes sense to key |
545 # be disabled. Note that the "KeySizeConstraint" only makes sense to key |
543 # algorithms. |
546 # algorithms. |
544 # |
547 # |
|
548 # "CertConstraint" specifies additional constraints for |
|
549 # certificates that contain algorithms that are restricted: |
|
550 # |
|
551 # "jdkCA" prohibits the specified algorithm only if the algorithm is used |
|
552 # in a certificate chain that terminates at a marked trust anchor in the |
|
553 # lib/security/cacerts keystore. All other chains are not affected. |
|
554 # If the jdkCA constraint is not set, then all chains using the |
|
555 # specified algorithm are restricted. jdkCA may only be used once in |
|
556 # a DisabledAlgorithm expression. |
|
557 # Example: To apply this constraint to SHA-1 certificates, include |
|
558 # the following: "SHA1 jdkCA" |
|
559 # |
|
560 # When an algorithm must satisfy more than one constraint, it must be |
|
561 # delimited by an ampersand '&'. For example, to restrict certificates in a |
|
562 # chain that terminate at a distribution provided trust anchor and contain |
|
563 # RSA keys that are less than or equal to 1024 bits, add the following |
|
564 # constraint: "RSA keySize <= 1024 & jdkCA". |
|
565 # |
|
566 # All DisabledAlgorithms expressions are processed in the order defined in the |
|
567 # property. This requires lower keysize constraints to be specified |
|
568 # before larger keysize constraints of the same algorithm. For example: |
|
569 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". |
|
570 # |
545 # Note: This property is currently used by Oracle's PKIX implementation. It |
571 # Note: This property is currently used by Oracle's PKIX implementation. It |
546 # is not guaranteed to be examined and used by other implementations. |
572 # is not guaranteed to be examined and used by other implementations. |
547 # |
573 # |
548 # Example: |
574 # Example: |
549 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 |
575 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 |