508 # CAConstraint: |
509 # CAConstraint: |
509 # jdkCA |
510 # jdkCA |
510 # |
511 # |
511 # DenyAfterConstraint: |
512 # DenyAfterConstraint: |
512 # denyAfter YYYY-MM-DD |
513 # denyAfter YYYY-MM-DD |
|
514 # |
|
515 # UsageConstraint: |
|
516 # usage [TLSServer] [TLSClient] [SignedJAR] |
513 # |
517 # |
514 # The "AlgorithmName" is the standard algorithm name of the disabled |
518 # The "AlgorithmName" is the standard algorithm name of the disabled |
515 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name |
519 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name |
516 # Documentation" for information about Standard Algorithm Names. Matching |
520 # Documentation" for information about Standard Algorithm Names. Matching |
517 # is performed using a case-insensitive sub-element matching rule. (For |
521 # is performed using a case-insensitive sub-element matching rule. (For |
558 # This constraint can only be used once in a DisabledAlgorithm |
562 # This constraint can only be used once in a DisabledAlgorithm |
559 # expression. |
563 # expression. |
560 # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, |
564 # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, |
561 # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" |
565 # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" |
562 # |
566 # |
|
567 # UsageConstraint: |
|
568 # usage [TLSServer] [TLSClient] [SignedJAR] |
|
569 # This constraint prohibits the specified algorithm for |
|
570 # a specified usage. This should be used when disabling an algorithm |
|
571 # for all usages is not practical. 'TLSServer' restricts the algorithm |
|
572 # in TLS server certificate chains when server authentication is |
|
573 # performed. 'TLSClient' restricts the algorithm in TLS client |
|
574 # certificate chains when client authentication is performed. |
|
575 # 'SignedJAR' constrains use of certificates in signed jar files. |
|
576 # The usage type follows the keyword and more than one usage type can |
|
577 # be specified with a whitespace delimiter. |
|
578 # Example: "SHA1 usage TLSServer TLSClient" |
|
579 # |
563 # When an algorithm must satisfy more than one constraint, it must be |
580 # When an algorithm must satisfy more than one constraint, it must be |
564 # delimited by an ampersand '&'. For example, to restrict certificates in a |
581 # delimited by an ampersand '&'. For example, to restrict certificates in a |
565 # chain that terminate at a distribution provided trust anchor and contain |
582 # chain that terminate at a distribution provided trust anchor and contain |
566 # RSA keys that are less than or equal to 1024 bits, add the following |
583 # RSA keys that are less than or equal to 1024 bits, add the following |
567 # constraint: "RSA keySize <= 1024 & jdkCA". |
584 # constraint: "RSA keySize <= 1024 & jdkCA". |
597 # The syntax of the disabled algorithm string is described as follows: |
614 # The syntax of the disabled algorithm string is described as follows: |
598 # DisabledAlgorithms: |
615 # DisabledAlgorithms: |
599 # " DisabledAlgorithm { , DisabledAlgorithm } " |
616 # " DisabledAlgorithm { , DisabledAlgorithm } " |
600 # |
617 # |
601 # DisabledAlgorithm: |
618 # DisabledAlgorithm: |
602 # AlgorithmName [Constraint] |
619 # AlgorithmName [Constraint] { '&' Constraint } |
603 # |
620 # |
604 # AlgorithmName: |
621 # AlgorithmName: |
605 # (see below) |
622 # (see below) |
606 # |
623 # |
607 # Constraint: |
624 # Constraint: |
608 # KeySizeConstraint |
625 # KeySizeConstraint | DenyAfterConstraint |
609 # |
626 # |
610 # KeySizeConstraint: |
627 # KeySizeConstraint: |
611 # keySize Operator KeyLength |
628 # keySize Operator KeyLength |
|
629 # |
|
630 # DenyAfterConstraint: |
|
631 # denyAfter YYYY-MM-DD |
612 # |
632 # |
613 # Operator: |
633 # Operator: |
614 # <= | < | == | != | >= | > |
634 # <= | < | == | != | >= | > |
615 # |
635 # |
616 # KeyLength: |
636 # KeyLength: |
617 # Integer value of the algorithm's key length in bits |
637 # Integer value of the algorithm's key length in bits |
618 # |
638 # |
619 # Note: This property is currently used by the JDK Reference |
639 # Note: This property is currently used by the JDK Reference |
620 # implementation. It is not guaranteed to be examined and used by other |
640 # implementation. It is not guaranteed to be examined and used by other |
621 # implementations. |
641 # implementations. |
|
642 # |
|
643 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. |
622 # |
644 # |
623 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ |
645 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ |
624 DSA keySize < 1024 |
646 DSA keySize < 1024 |
625 |
647 |
626 # |
648 # |