--- a/jdk/src/java.base/share/conf/security/java.security Thu May 26 13:18:32 2016 -0700
+++ b/jdk/src/java.base/share/conf/security/java.security Thu May 26 13:33:27 2016 -0700
@@ -570,9 +570,7 @@
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
-#
-# The syntax of the disabled algorithm string is described as this Java
-# BNF-style:
+# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
@@ -583,25 +581,22 @@
# (see below)
#
# Constraint:
-# KeySizeConstraint, CertConstraint
+# KeySizeConstraint | CAConstraint | DenyAfterConstraint
#
# KeySizeConstraint:
-# keySize Operator DecimalInteger
+# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
-# DecimalInteger:
-# DecimalDigits
-#
-# DecimalDigits:
-# DecimalDigit {DecimalDigit}
+# KeyLength:
+# Integer value of the algorithm's key length in bits
#
-# DecimalDigit: one of
-# 1 2 3 4 5 6 7 8 9 0
+# CAConstraint:
+# jdkCA
#
-# CertConstraint
-# jdkCA
+# DenyAfterConstraint:
+# denyAfter YYYY-MM-DD
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
@@ -615,27 +610,42 @@
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
-# A "Constraint" provides further guidance for the algorithm being specified.
-# The "KeySizeConstraint" requires a key of a valid size range if the
-# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
-# key size specified in number of bits. For example, "RSA keySize <= 1024"
-# indicates that any RSA key with key size less than or equal to 1024 bits
-# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
-# that any RSA key with key size less than 1024 or greater than 2048 should
-# be disabled. Note that the "KeySizeConstraint" only makes sense to key
-# algorithms.
+# A "Constraint" defines restrictions on the keys and/or certificates for
+# a specified AlgorithmName:
+#
+# KeySizeConstraint:
+# keySize Operator KeyLength
+# The constraint requires a key of a valid size range if the
+# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
+# the key size specified in number of bits. For example,
+# "RSA keySize <= 1024" indicates that any RSA key with key size less
+# than or equal to 1024 bits should be disabled, and
+# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
+# with key size less than 1024 or greater than 2048 should be disabled.
+# This constraint is only used on algorithms that have a key size.
#
-# "CertConstraint" specifies additional constraints for
-# certificates that contain algorithms that are restricted:
+# CAConstraint:
+# jdkCA
+# This constraint prohibits the specified algorithm only if the
+# algorithm is used in a certificate chain that terminates at a marked
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
+# are restricted. jdkCA may only be used once in a DisabledAlgorithm
+# expression.
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
-# "jdkCA" prohibits the specified algorithm only if the algorithm is used
-# in a certificate chain that terminates at a marked trust anchor in the
-# lib/security/cacerts keystore. All other chains are not affected.
-# If the jdkCA constraint is not set, then all chains using the
-# specified algorithm are restricted. jdkCA may only be used once in
-# a DisabledAlgorithm expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# DenyAfterConstraint:
+# denyAfter YYYY-MM-DD
+# This constraint prohibits a certificate with the specified algorithm
+# from being used after the date regardless of the certificate's
+# validity. JAR files that are signed and timestamped before the
+# constraint date with certificates containing the disabled algorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
+# expression.
+# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
+# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a