src/java.base/share/conf/security/java.security
author jwilhelm
Tue, 22 Jan 2019 19:56:19 +0100
changeset 53430 ccfd4e614bb8
parent 53304 9e968a576dd2
parent 53428 f443de1cee05
child 54802 b0a1572ec64a
permissions -rw-r--r--
Merge
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     2
# This is the "master security properties file".
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
#
13159
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     4
# An alternate java.security properties file may be specified
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     5
# from the command line via the system property
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     6
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     7
#    -Djava.security.properties=<URL>
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     8
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     9
# This properties file appends to the master security properties file.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    10
# If both properties files specify values for the same key, the value
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    11
# from the command-line properties file is selected, as it is the last
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    12
# one loaded.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    13
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    14
# Also, if you specify
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    15
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    16
#    -Djava.security.properties==<URL> (2 equals),
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    17
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    18
# then that properties file completely overrides the master security
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    19
# properties file.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    20
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    21
# To disable the ability to specify an additional properties file from
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    22
# the command line, set the key security.overridePropertiesFile
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    23
# to false in the master security properties file. It is set to true
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    24
# by default.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    25
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
# In this file, various security properties are set for use by
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
# java.security classes. This is where users can statically register
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
# Cryptography Package Providers ("providers" for short). The term
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
# "provider" refers to a package or set of packages that supply a
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
# concrete implementation of a subset of the cryptography aspects of
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
# the Java Security API. A provider may, for example, implement one or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
# more digital signature algorithms or message digest algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
# Each provider must implement a subclass of the Provider class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    35
# To register a provider in this master security properties file,
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    36
# specify the provider and priority in the format
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    37
#
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    38
#    security.provider.<n>=<provName | className>
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    39
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
# This declares a provider, and specifies its preference
90ce3da70b43 Initial load
duke
parents:
diff changeset
    41
# order n. The preference order is the order in which providers are
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
# searched for requested algorithms (when no specific provider is
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
# requested). The order is 1-based; 1 is the most preferred, followed
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
# by 2, and so on.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
#
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    46
# <provName> must specify the name of the Provider as passed to its super
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    47
# class java.security.Provider constructor. This is for providers loaded
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    48
# through the ServiceLoader mechanism.
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    49
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    50
# <className> must specify the subclass of the Provider class whose
90ce3da70b43 Initial load
duke
parents:
diff changeset
    51
# constructor sets the values of various properties that are required
90ce3da70b43 Initial load
duke
parents:
diff changeset
    52
# for the Java Security API to look up the algorithms or other
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    53
# facilities implemented by the provider. This is for providers loaded
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    54
# through classpath.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
# Note: Providers can be dynamically registered instead by calls to
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
# either the addProvider or insertProviderAt method in the Security
90ce3da70b43 Initial load
duke
parents:
diff changeset
    58
# class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    59
90ce3da70b43 Initial load
duke
parents:
diff changeset
    60
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    61
# List of providers and their preference orders (see above):
90ce3da70b43 Initial load
duke
parents:
diff changeset
    62
#
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    63
#ifdef solaris
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    64
security.provider.tbd=OracleUcrypto
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    65
security.provider.tbd=SunPKCS11 ${java.home}/conf/security/sunpkcs11-solaris.cfg
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    66
#endif
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    67
security.provider.tbd=SUN
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    68
security.provider.tbd=SunRsaSign
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    69
security.provider.tbd=SunEC
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    70
security.provider.tbd=SunJSSE
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    71
security.provider.tbd=SunJCE
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    72
security.provider.tbd=SunJGSS
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    73
security.provider.tbd=SunSASL
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    74
security.provider.tbd=XMLDSig
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    75
security.provider.tbd=SunPCSC
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    76
security.provider.tbd=JdkLDAP
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    77
security.provider.tbd=JdkSASL
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    78
#ifdef windows
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    79
security.provider.tbd=SunMSCAPI
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    80
#endif
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    81
#ifdef macosx
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    82
security.provider.tbd=Apple
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    83
#endif
31270
e6470b24700d 7191662: JCE providers should be located via ServiceLoader
valeriep
parents: 30904
diff changeset
    84
#ifndef solaris
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    85
security.provider.tbd=SunPKCS11
31270
e6470b24700d 7191662: JCE providers should be located via ServiceLoader
valeriep
parents: 30904
diff changeset
    86
#endif
e6470b24700d 7191662: JCE providers should be located via ServiceLoader
valeriep
parents: 30904
diff changeset
    87
33241
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    88
#
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    89
# A list of preferred providers for specific algorithms. These providers will
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    90
# be searched for matching algorithms before the list of registered providers.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    91
# Entries containing errors (parsing, etc) will be ignored. Use the
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    92
# -Djava.security.debug=jca property to debug these errors.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    93
#
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    94
# The property is a comma-separated list of serviceType.algorithm:provider
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    95
# entries. The serviceType (example: "MessageDigest") is optional, and if
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    96
# not specified, the algorithm applies to all service types that support it.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    97
# The algorithm is the standard algorithm name or transformation.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    98
# Transformations can be specified in their full standard name
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    99
# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC).
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   100
# The provider is the name of the provider. Any provider that does not
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   101
# also appear in the registered list will be ignored.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   102
#
38435
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   103
# There is a special serviceType for this property only to group a set of
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   104
# algorithms together. The type is "Group" and is followed by an algorithm
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   105
# keyword. Groups are to simplify and lessen the entries on the property
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   106
# line. Current groups are:
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   107
#   Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   108
#   Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   109
#   Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   110
#   Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   111
#   Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, \
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   112
#                     SHA512withECDSA
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   113
#   Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   114
#   Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   115
#
33241
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   116
# Example:
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   117
#   jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \
38435
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   118
#         MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   119
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   120
#ifdef solaris-sparc
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   121
# Optional Solaris-SPARC configuration for non-FIPS 140 configurations.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   122
#   jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, Group.SHA2:SUN, \
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   123
#   HmacSHA1:SunJCE, Group.HmacSHA2:SunJCE
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   124
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   125
#endif
39339
3a9850ed77e8 8159180: Remove default setting for jdk.security.provider.preferred
ascarpino
parents: 38948
diff changeset
   126
#jdk.security.provider.preferred=
33241
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   127
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   130
# Sun Provider SecureRandom seed source.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   131
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   132
# Select the primary source of seed data for the "NativePRNG", "SHA1PRNG"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   133
# and "DRBG" SecureRandom implementations in the "Sun" provider.
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   134
# (Other SecureRandom implementations might also use this property.)
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   135
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   136
# On Unix-like systems (for example, Solaris/Linux/MacOS), the
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   137
# "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   138
# special device files such as file:/dev/random.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   139
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   140
# On Windows systems, specifying the URLs "file:/dev/random" or
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   141
# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   142
# mechanism for SHA1PRNG and DRBG.
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   143
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   144
# By default, an attempt is made to use the entropy gathering device
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   145
# specified by the "securerandom.source" Security property.  If an
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   146
# exception occurs while accessing the specified URL:
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   147
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   148
#     NativePRNG:
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   149
#         a default value of /dev/random will be used.  If neither
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   150
#         are available, the implementation will be disabled.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   151
#         "file" is the only currently supported protocol type.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   153
#     SHA1PRNG and DRBG:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   154
#         the traditional system/thread activity algorithm will be used.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   155
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   156
# The entropy gathering device can also be specified with the System
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   157
# property "java.security.egd". For example:
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   158
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   159
#   % java -Djava.security.egd=file:/dev/random MainClass
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   161
# Specifying this System property will override the
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   162
# "securerandom.source" Security property.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   163
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   164
# In addition, if "file:/dev/random" or "file:/dev/urandom" is
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   165
# specified, the "NativePRNG" implementation will be more preferred than
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   166
# DRBG and SHA1PRNG in the Sun provider.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   168
securerandom.source=file:/dev/random
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   169
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   170
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   171
# A list of known strong SecureRandom implementations.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   172
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   173
# To help guide applications in selecting a suitable strong
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   174
# java.security.SecureRandom implementation, Java distributions should
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   175
# indicate a list of known strong implementations using the property.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   176
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   177
# This is a comma-separated list of algorithm and/or algorithm:provider
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   178
# entries.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   179
#
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   180
#ifdef windows
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   181
securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   182
#endif
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   183
#ifndef windows
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   184
securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   185
#endif
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   188
# Sun provider DRBG configuration and default instantiation request.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   189
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   190
# NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   191
# with a DRBG algorithm name, and can be instantiated with a security strength,
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   192
# prediction resistance support, etc. This property defines the configuration
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   193
# and the default instantiation request of "DRBG" SecureRandom implementations
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   194
# in the SUN provider. (Other DRBG implementations can also use this property.)
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   195
# Applications can request different instantiation parameters like security
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   196
# strength, capability, personalization string using one of the
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   197
# getInstance(...,SecureRandomParameters,...) methods with a
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   198
# DrbgParameters.Instantiation argument, but other settings such as the
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   199
# mechanism and DRBG algorithm names are not currently configurable by any API.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   200
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   201
# Please note that the SUN implementation of DRBG always supports reseeding.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   202
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   203
# The value of this property is a comma-separated list of all configurable
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   204
# aspects. The aspects can appear in any order but the same aspect can only
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   205
# appear at most once. Its BNF-style definition is:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   206
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   207
#   Value:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   208
#     aspect { "," aspect }
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   209
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   210
#   aspect:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   211
#     mech_name | algorithm_name | strength | capability | df
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   212
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   213
#   // The DRBG mechanism to use. Default "Hash_DRBG"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   214
#   mech_name:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   215
#     "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   216
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   217
#   // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   218
#   // HMAC_DRBG, default "SHA-256". The "AES-***" names are for CTR_DRBG,
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   219
#   // default "AES-128" when using the limited cryptographic or "AES-256"
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   220
#   // when using the unlimited.
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   221
#   algorithm_name:
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   222
#     "SHA-224" | "SHA-512/224" | "SHA-256" |
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   223
#     "SHA-512/256" | "SHA-384" | "SHA-512" |
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   224
#     "AES-128" | "AES-192" | "AES-256"
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   225
#
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   226
#   // Security strength requested. Default "128"
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   227
#   strength:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   228
#     "112" | "128" | "192" | "256"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   229
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   230
#   // Prediction resistance and reseeding request. Default "none"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   231
#   //  "pr_and_reseed" - Both prediction resistance and reseeding
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   232
#   //                    support requested
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   233
#   //  "reseed_only"   - Only reseeding support requested
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   234
#   //  "none"          - Neither prediction resistance not reseeding
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   235
#   //                    support requested
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   236
#   pr:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   237
#     "pr_and_reseed" | "reseed_only" | "none"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   238
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   239
#   // Whether a derivation function should be used. only applicable
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   240
#   // to CTR_DRBG. Default "use_df"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   241
#   df:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   242
#     "use_df" | "no_df"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   243
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   244
# Examples,
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   245
#   securerandom.drbg.config=Hash_DRBG,SHA-224,112,none
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   246
#   securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   247
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   248
# The default value is an empty string, which is equivalent to
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   249
#   securerandom.drbg.config=Hash_DRBG,SHA-256,128,none
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   250
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   251
securerandom.drbg.config=
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   252
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   253
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
# Class to instantiate as the javax.security.auth.login.Configuration
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
# provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
#
19385
a7b34a4b1fcb 8016848: javax_security/auth/login tests fail in compact 1 and 2 profiles
mullan
parents: 18828
diff changeset
   257
login.configuration.provider=sun.security.provider.ConfigFile
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   258
90ce3da70b43 Initial load
duke
parents:
diff changeset
   259
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   260
# Default login configuration file
90ce3da70b43 Initial load
duke
parents:
diff changeset
   261
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   262
#login.config.url.1=file:${user.home}/.java.login.config
90ce3da70b43 Initial load
duke
parents:
diff changeset
   263
90ce3da70b43 Initial load
duke
parents:
diff changeset
   264
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   265
# Class to instantiate as the system Policy. This is the name of the class
30444
054604aed79c 8075706: Policy implementation does not allow policy.provider to be on the class path
mullan
parents: 29902
diff changeset
   266
# that will be used as the Policy object. The system class loader is used to
054604aed79c 8075706: Policy implementation does not allow policy.provider to be on the class path
mullan
parents: 29902
diff changeset
   267
# locate this class.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   268
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   269
policy.provider=sun.security.provider.PolicyFile
90ce3da70b43 Initial load
duke
parents:
diff changeset
   270
90ce3da70b43 Initial load
duke
parents:
diff changeset
   271
# The default is to have a single system-wide policy file,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   272
# and a policy file in the user's home directory.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   273
#
27565
729f9700483a 8049367: Modular Run-Time Images
chegar
parents: 26967
diff changeset
   274
policy.url.1=file:${java.home}/conf/security/java.policy
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   275
policy.url.2=file:${user.home}/.java.policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   276
90ce3da70b43 Initial load
duke
parents:
diff changeset
   277
# whether or not we expand properties in the policy file
90ce3da70b43 Initial load
duke
parents:
diff changeset
   278
# if this is set to false, properties (${...}) will not be expanded in policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   279
# files.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   280
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   281
policy.expandProperties=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   282
90ce3da70b43 Initial load
duke
parents:
diff changeset
   283
# whether or not we allow an extra policy to be passed on the command line
90ce3da70b43 Initial load
duke
parents:
diff changeset
   284
# with -Djava.security.policy=somefile. Comment out this line to disable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   285
# this feature.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   286
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   287
policy.allowSystemProperty=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   288
90ce3da70b43 Initial load
duke
parents:
diff changeset
   289
# whether or not we look into the IdentityScope for trusted Identities
90ce3da70b43 Initial load
duke
parents:
diff changeset
   290
# when encountering a 1.1 signed JAR file. If the identity is found
30790
f81f9725a1c6 8065233: Remove Policy provider code that synchronizes on identityPolicyEntries List
mullan
parents: 30506
diff changeset
   291
# and is trusted, we grant it AllPermission. Note: the default policy
f81f9725a1c6 8065233: Remove Policy provider code that synchronizes on identityPolicyEntries List
mullan
parents: 30506
diff changeset
   292
# provider (sun.security.provider.PolicyFile) does not support this property.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   293
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   294
policy.ignoreIdentityScope=false
90ce3da70b43 Initial load
duke
parents:
diff changeset
   295
90ce3da70b43 Initial load
duke
parents:
diff changeset
   296
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   297
# Default keystore type.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   298
#
28243
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   299
keystore.type=pkcs12
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   300
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   301
#
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   302
# Controls compatibility mode for JKS and PKCS12 keystore types.
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   303
#
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   304
# When set to 'true', both JKS and PKCS12 keystore types support loading
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   305
# keystore files in either JKS or PKCS12 format. When set to 'false' the
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   306
# JKS keystore type supports loading only JKS keystore files and the PKCS12
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   307
# keystore type supports loading only PKCS12 keystore files.
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   308
#
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   309
keystore.type.compat=true
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   310
90ce3da70b43 Initial load
duke
parents:
diff changeset
   311
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   312
# List of comma-separated packages that start with or equal this string
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   313
# will cause a security exception to be thrown when passed to the
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   314
# SecurityManager::checkPackageAccess method unless the corresponding
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   315
# RuntimePermission("accessClassInPackage."+package) has been granted.
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   316
#
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   317
package.access=sun.misc.,\
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   318
               sun.reflect.,\
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   319
90ce3da70b43 Initial load
duke
parents:
diff changeset
   320
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   321
# List of comma-separated packages that start with or equal this string
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   322
# will cause a security exception to be thrown when passed to the
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   323
# SecurityManager::checkPackageDefinition method unless the corresponding
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   324
# RuntimePermission("defineClassInPackage."+package) has been granted.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   325
#
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   326
# By default, none of the class loaders supplied with the JDK call
13035
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   327
# checkPackageDefinition.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   328
#
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   329
package.definition=sun.misc.,\
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   330
                   sun.reflect.,\
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   331
90ce3da70b43 Initial load
duke
parents:
diff changeset
   332
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   333
# Determines whether this properties file can be appended to
90ce3da70b43 Initial load
duke
parents:
diff changeset
   334
# or overridden on the command line via -Djava.security.properties
90ce3da70b43 Initial load
duke
parents:
diff changeset
   335
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   336
security.overridePropertiesFile=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   337
90ce3da70b43 Initial load
duke
parents:
diff changeset
   338
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   339
# Determines the default key and trust manager factory algorithms for
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   340
# the javax.net.ssl package.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   341
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   342
ssl.KeyManagerFactory.algorithm=SunX509
90ce3da70b43 Initial load
duke
parents:
diff changeset
   343
ssl.TrustManagerFactory.algorithm=PKIX
90ce3da70b43 Initial load
duke
parents:
diff changeset
   344
90ce3da70b43 Initial load
duke
parents:
diff changeset
   345
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   346
# The Java-level namelookup cache policy for successful lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   347
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   348
# any negative value: caching forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   349
# any positive value: the number of seconds to cache an address for
90ce3da70b43 Initial load
duke
parents:
diff changeset
   350
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   351
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   352
# default value is forever (FOREVER). For security reasons, this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   353
# caching is made forever when a security manager is set. When a security
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   354
# manager is not set, the default behavior in this implementation
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   355
# is to cache for 30 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   356
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   357
# NOTE: setting this to anything other than the default value can have
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   358
#       serious security implications. Do not set it unless
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   359
#       you are sure you are not exposed to DNS spoofing attack.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   360
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   361
#networkaddress.cache.ttl=-1
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   362
90ce3da70b43 Initial load
duke
parents:
diff changeset
   363
# The Java-level namelookup cache policy for failed lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   364
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   365
# any negative value: cache forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   366
# any positive value: the number of seconds to cache negative lookup results
90ce3da70b43 Initial load
duke
parents:
diff changeset
   367
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   368
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   369
# In some Microsoft Windows networking environments that employ
90ce3da70b43 Initial load
duke
parents:
diff changeset
   370
# the WINS name service in addition to DNS, name service lookups
90ce3da70b43 Initial load
duke
parents:
diff changeset
   371
# that fail may take a noticeably long time to return (approx. 5 seconds).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   372
# For this reason the default caching policy is to maintain these
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   373
# results for 10 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   374
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   375
networkaddress.cache.negative.ttl=10
90ce3da70b43 Initial load
duke
parents:
diff changeset
   376
90ce3da70b43 Initial load
duke
parents:
diff changeset
   377
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   378
# Properties to configure OCSP for certificate revocation checking
90ce3da70b43 Initial load
duke
parents:
diff changeset
   379
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   380
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   381
# Enable OCSP
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   382
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   383
# By default, OCSP is not used for certificate revocation checking.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   384
# This property enables the use of OCSP when set to the value "true".
90ce3da70b43 Initial load
duke
parents:
diff changeset
   385
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   386
# NOTE: SocketPermission is required to connect to an OCSP responder.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   387
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   388
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   389
#   ocsp.enable=true
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   390
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   391
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   392
# Location of the OCSP responder
90ce3da70b43 Initial load
duke
parents:
diff changeset
   393
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   394
# By default, the location of the OCSP responder is determined implicitly
90ce3da70b43 Initial load
duke
parents:
diff changeset
   395
# from the certificate being validated. This property explicitly specifies
90ce3da70b43 Initial load
duke
parents:
diff changeset
   396
# the location of the OCSP responder. The property is used when the
26967
c182469301ee 8037550: Update RFC references in javadoc to RFC 5280
juh
parents: 25991
diff changeset
   397
# Authority Information Access extension (defined in RFC 5280) is absent
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   398
# from the certificate or when it requires overriding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   399
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   400
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   401
#   ocsp.responderURL=http://ocsp.example.net:80
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   402
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   403
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   404
# Subject name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   405
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   406
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   407
# of the certificate being validated. This property identifies the certificate
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   408
# of the OCSP responder when the default does not apply. Its value is a string
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   409
# distinguished name (defined in RFC 2253) which identifies a certificate in
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   410
# the set of certificates supplied during cert path validation. In cases where
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   411
# the subject name alone is not sufficient to uniquely identify the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   412
# then both the "ocsp.responderCertIssuerName" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   413
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   414
# property is set then those two properties are ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   415
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   416
# Example,
40558
ec1dec20d88f 8024714: In java.security file, ocsp.responderCertSubjectName should not contain quotes
mullan
parents: 40551
diff changeset
   417
#   ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   418
90ce3da70b43 Initial load
duke
parents:
diff changeset
   419
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   420
# Issuer name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   421
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   422
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   423
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   424
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   425
# distinguished name (defined in RFC 2253) which identifies a certificate in
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   426
# the set of certificates supplied during cert path validation. When this
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   427
# property is set then the "ocsp.responderCertSerialNumber" property must also
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   428
# be set. When the "ocsp.responderCertSubjectName" property is set then this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   429
# property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   430
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   431
# Example,
40558
ec1dec20d88f 8024714: In java.security file, ocsp.responderCertSubjectName should not contain quotes
mullan
parents: 40551
diff changeset
   432
#   ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   433
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   434
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   435
# Serial number of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   436
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   437
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   438
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   439
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   440
# of hexadecimal digits (colon or space separators may be present) which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   441
# identifies a certificate in the set of certificates supplied during cert path
90ce3da70b43 Initial load
duke
parents:
diff changeset
   442
# validation. When this property is set then the "ocsp.responderCertIssuerName"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   443
# property must also be set. When the "ocsp.responderCertSubjectName" property
90ce3da70b43 Initial load
duke
parents:
diff changeset
   444
# is set then this property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   445
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   446
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   447
#   ocsp.responderCertSerialNumber=2A:FF:00
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   448
6311
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   449
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   450
# Policy for failed Kerberos KDC lookups:
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   451
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   452
# When a KDC is unavailable (network error, service failure, etc), it is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   453
# put inside a blacklist and accessed less often for future requests. The
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   454
# value (case-insensitive) for this policy can be:
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   455
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   456
# tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   457
#    KDCs in the blacklist are always tried after those not on the list.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   458
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   459
# tryLess[:max_retries,timeout]
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   460
#    KDCs in the blacklist are still tried by their order in the configuration,
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   461
#    but with smaller max_retries and timeout values. max_retries and timeout
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   462
#    are optional numerical parameters (default 1 and 5000, which means once
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   463
#    and 5 seconds). Please notes that if any of the values defined here is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   464
#    more than what is defined in krb5.conf, it will be ignored.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   465
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   466
# Whenever a KDC is detected as available, it is removed from the blacklist.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   467
# The blacklist is reset when krb5.conf is reloaded. You can add
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   468
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   469
# reloaded whenever a JAAS authentication is attempted.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   470
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   471
# Example,
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   472
#   krb5.kdc.bad.policy = tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   473
#   krb5.kdc.bad.policy = tryLess:2,2000
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   474
#
6311
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   475
krb5.kdc.bad.policy = tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   476
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   477
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   478
# Algorithm restrictions for certification path (CertPath) processing
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   479
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   480
# In some environments, certain algorithms or key lengths may be undesirable
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   481
# for certification path building and validation.  For example, "MD2" is
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   482
# generally no longer considered to be a secure hash algorithm.  This section
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   483
# describes the mechanism for disabling algorithms based on algorithm name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   484
# and/or key length.  This includes algorithms used in certificates, as well
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   485
# as revocation information such as CRLs and signed OCSP Responses.
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   486
# The syntax of the disabled algorithm string is described as follows:
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   487
#   DisabledAlgorithms:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   488
#       " DisabledAlgorithm { , DisabledAlgorithm } "
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   489
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   490
#   DisabledAlgorithm:
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   491
#       AlgorithmName [Constraint] { '&' Constraint }
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   492
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   493
#   AlgorithmName:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   494
#       (see below)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   495
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   496
#   Constraint:
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   497
#       KeySizeConstraint | CAConstraint | DenyAfterConstraint |
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   498
#       UsageConstraint
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   499
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   500
#   KeySizeConstraint:
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   501
#       keySize Operator KeyLength
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   502
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   503
#   Operator:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   504
#       <= | < | == | != | >= | >
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   505
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   506
#   KeyLength:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   507
#       Integer value of the algorithm's key length in bits
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   508
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   509
#   CAConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   510
#       jdkCA
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   511
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   512
#   DenyAfterConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   513
#       denyAfter YYYY-MM-DD
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   514
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   515
#   UsageConstraint:
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   516
#       usage [TLSServer] [TLSClient] [SignedJAR]
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   517
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   518
# The "AlgorithmName" is the standard algorithm name of the disabled
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   519
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   520
# Documentation" for information about Standard Algorithm Names.  Matching
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   521
# is performed using a case-insensitive sub-element matching rule.  (For
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   522
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   523
# "ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   524
# sub-element of the certificate algorithm name, the algorithm will be
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   525
# rejected during certification path building and validation.  For example,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   526
# the assertion algorithm name "DSA" will disable all certificate algorithms
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   527
# that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   528
# will not disable algorithms related to "ECDSA".
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   529
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   530
# A "Constraint" defines restrictions on the keys and/or certificates for
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   531
# a specified AlgorithmName:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   532
#
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   533
#   KeySizeConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   534
#     keySize Operator KeyLength
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   535
#       The constraint requires a key of a valid size range if the
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   536
#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   537
#       the key size specified in number of bits.  For example,
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   538
#       "RSA keySize <= 1024" indicates that any RSA key with key size less
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   539
#       than or equal to 1024 bits should be disabled, and
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   540
#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   541
#       with key size less than 1024 or greater than 2048 should be disabled.
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   542
#       This constraint is only used on algorithms that have a key size.
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   543
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   544
#   CAConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   545
#     jdkCA
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   546
#       This constraint prohibits the specified algorithm only if the
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   547
#       algorithm is used in a certificate chain that terminates at a marked
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   548
#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   549
#       constraint is not set, then all chains using the specified algorithm
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   550
#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   551
#       expression.
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   552
#       Example:  To apply this constraint to SHA-1 certificates, include
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   553
#       the following:  "SHA1 jdkCA"
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   554
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   555
#   DenyAfterConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   556
#     denyAfter YYYY-MM-DD
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   557
#       This constraint prohibits a certificate with the specified algorithm
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   558
#       from being used after the date regardless of the certificate's
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   559
#       validity.  JAR files that are signed and timestamped before the
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   560
#       constraint date with certificates containing the disabled algorithm
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   561
#       will not be restricted.  The date is processed in the UTC timezone.
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   562
#       This constraint can only be used once in a DisabledAlgorithm
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   563
#       expression.
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   564
#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   565
#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   566
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   567
#   UsageConstraint:
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   568
#     usage [TLSServer] [TLSClient] [SignedJAR]
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   569
#       This constraint prohibits the specified algorithm for
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   570
#       a specified usage.  This should be used when disabling an algorithm
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   571
#       for all usages is not practical. 'TLSServer' restricts the algorithm
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   572
#       in TLS server certificate chains when server authentication is
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   573
#       performed. 'TLSClient' restricts the algorithm in TLS client
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   574
#       certificate chains when client authentication is performed.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   575
#       'SignedJAR' constrains use of certificates in signed jar files.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   576
#       The usage type follows the keyword and more than one usage type can
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   577
#       be specified with a whitespace delimiter.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   578
#       Example:  "SHA1 usage TLSServer TLSClient"
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   579
#
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   580
# When an algorithm must satisfy more than one constraint, it must be
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   581
# delimited by an ampersand '&'.  For example, to restrict certificates in a
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   582
# chain that terminate at a distribution provided trust anchor and contain
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   583
# RSA keys that are less than or equal to 1024 bits, add the following
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   584
# constraint:  "RSA keySize <= 1024 & jdkCA".
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   585
#
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   586
# All DisabledAlgorithms expressions are processed in the order defined in the
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   587
# property.  This requires lower keysize constraints to be specified
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   588
# before larger keysize constraints of the same algorithm.  For example:
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   589
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   590
#
41816
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   591
# Note: The algorithm restrictions do not apply to trust anchors or
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   592
# self-signed certificates.
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   593
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   594
# Note: This property is currently used by Oracle's PKIX implementation. It
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   595
# is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   596
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   597
# Example:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   598
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   599
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   600
#
44249
0462723a58ef 8176503: Disable SHA-1 TLS Server Certificates
mullan
parents: 43807
diff changeset
   601
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
0462723a58ef 8176503: Disable SHA-1 TLS Server Certificates
mullan
parents: 43807
diff changeset
   602
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   603
43211
f264afd5082c 8156802: Better constraint checking
rriggs
parents: 43206
diff changeset
   604
#
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   605
# Algorithm restrictions for signed JAR files
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   606
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   607
# In some environments, certain algorithms or key lengths may be undesirable
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   608
# for signed JAR validation.  For example, "MD2" is generally no longer
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   609
# considered to be a secure hash algorithm.  This section describes the
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   610
# mechanism for disabling algorithms based on algorithm name and/or key length.
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   611
# JARs signed with any of the disabled algorithms or key sizes will be treated
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   612
# as unsigned.
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   613
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   614
# The syntax of the disabled algorithm string is described as follows:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   615
#   DisabledAlgorithms:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   616
#       " DisabledAlgorithm { , DisabledAlgorithm } "
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   617
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   618
#   DisabledAlgorithm:
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   619
#       AlgorithmName [Constraint] { '&' Constraint }
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   620
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   621
#   AlgorithmName:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   622
#       (see below)
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   623
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   624
#   Constraint:
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   625
#       KeySizeConstraint | DenyAfterConstraint
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   626
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   627
#   KeySizeConstraint:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   628
#       keySize Operator KeyLength
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   629
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   630
#   DenyAfterConstraint:
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   631
#       denyAfter YYYY-MM-DD
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   632
#
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   633
#   Operator:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   634
#       <= | < | == | != | >= | >
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   635
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   636
#   KeyLength:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   637
#       Integer value of the algorithm's key length in bits
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   638
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   639
# Note: This property is currently used by the JDK Reference
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   640
# implementation. It is not guaranteed to be examined and used by other
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   641
# implementations.
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   642
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   643
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   644
#
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   645
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   646
      DSA keySize < 1024
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   647
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   648
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   649
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 30790
diff changeset
   650
# (SSL/TLS/DTLS) processing
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   651
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   652
# In some environments, certain algorithms or key lengths may be undesirable
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 30790
diff changeset
   653
# when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 30790
diff changeset
   654
# algorithms during SSL/TLS/DTLS security parameters negotiation, including
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   655
# protocol version negotiation, cipher suites selection, peer authentication
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   656
# and key exchange mechanisms.
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   657
#
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   658
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   659
# if they are enabled explicitly in an application.
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   660
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   661
# For PKI-based peer authentication and key exchange mechanisms, this list
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   662
# of disabled algorithms will also be checked during certification path
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   663
# building and validation, including algorithms used in certificates, as
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   664
# well as revocation information such as CRLs and signed OCSP Responses.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   665
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   666
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   667
# See the specification of "jdk.certpath.disabledAlgorithms" for the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   668
# syntax of the disabled algorithm string.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   669
#
41816
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   670
# Note: The algorithm restrictions do not apply to trust anchors or
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   671
# self-signed certificates.
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   672
#
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   673
# Note: This property is currently used by the JDK Reference implementation.
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   674
# It is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   675
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   676
# Example:
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   677
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
51465
e4ba2cfcfa92 8208350: Disable all DES cipher suites
jnimeh
parents: 51356
diff changeset
   678
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
52286
d98fb44ad6bf 8211883: Disable anon and NULL cipher suites
mullan
parents: 51879
diff changeset
   679
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   680
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   681
#
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   682
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   683
# processing in JSSE implementation.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   684
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   685
# In some environments, a certain algorithm may be undesirable but it
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   686
# cannot be disabled because of its use in legacy applications.  Legacy
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   687
# algorithms may still be supported, but applications should not use them
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   688
# as the security strength of legacy algorithms are usually not strong enough
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   689
# in practice.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   690
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   691
# During SSL/TLS security parameters negotiation, legacy algorithms will
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   692
# not be negotiated unless there are no other candidates.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   693
#
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   694
# The syntax of the legacy algorithms string is described as this Java
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   695
# BNF-style:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   696
#   LegacyAlgorithms:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   697
#       " LegacyAlgorithm { , LegacyAlgorithm } "
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   698
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   699
#   LegacyAlgorithm:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   700
#       AlgorithmName (standard JSSE algorithm name)
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   701
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   702
# See the specification of security property "jdk.certpath.disabledAlgorithms"
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   703
# for the syntax and description of the "AlgorithmName" notation.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   704
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   705
# Per SSL/TLS specifications, cipher suites have the form:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   706
#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   707
# or
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   708
#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   709
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   710
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   711
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   712
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   713
# algorithm for HMAC.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   714
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   715
# The LegacyAlgorithm can be one of the following standard algorithm names:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   716
#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   717
#     2. JSSE key exchange algorithm name, e.g., RSA
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   718
#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
31712
e4d5230193da 8076328: Enforce key exchange constraints
xuelei
parents: 31689
diff changeset
   719
#     4. JSSE message digest algorithm name, e.g., SHA
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   720
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   721
# See SSL/TLS specifications and "Java Cryptography Architecture Standard
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   722
# Algorithm Name Documentation" for information about the algorithm names.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   723
#
38419
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   724
# Note: If a legacy algorithm is also restricted through the
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   725
# jdk.tls.disabledAlgorithms property or the
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   726
# java.security.AlgorithmConstraints API (See
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   727
# javax.net.ssl.SSLParameters.setAlgorithmConstraints()),
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   728
# then the algorithm is completely disabled and will not be negotiated.
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   729
#
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   730
# Note: This property is currently used by the JDK Reference implementation.
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   731
# It is not guaranteed to be examined and used by other implementations.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   732
# There is no guarantee the property will continue to exist or be of the
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   733
# same syntax in future releases.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   734
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   735
# Example:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   736
#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   737
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   738
jdk.tls.legacyAlgorithms= \
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   739
        K_NULL, C_NULL, M_NULL, \
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   740
        DH_anon, ECDH_anon, \
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   741
        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   742
        3DES_EDE_CBC
33295
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   743
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   744
#
33295
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   745
# The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   746
# parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   747
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   748
# In traditional SSL/TLS/DTLS connections where finite field DHE parameters
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   749
# negotiation mechanism is not used, the server offers the client group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   750
# parameters, base generator g and prime modulus p, for DHE key exchange.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   751
# It is recommended to use dynamic group parameters.  This property defines
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   752
# a mechanism that allows you to specify custom group parameters.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   753
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   754
# The syntax of this property string is described as this Java BNF-style:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   755
#   DefaultDHEParameters:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   756
#       DefinedDHEParameters { , DefinedDHEParameters }
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   757
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   758
#   DefinedDHEParameters:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   759
#       "{" DHEPrimeModulus , DHEBaseGenerator "}"
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   760
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   761
#   DHEPrimeModulus:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   762
#       HexadecimalDigits
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   763
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   764
#   DHEBaseGenerator:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   765
#       HexadecimalDigits
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   766
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   767
#   HexadecimalDigits:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   768
#       HexadecimalDigit { HexadecimalDigit }
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   769
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   770
#   HexadecimalDigit: one of
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   771
#       0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   772
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   773
# Whitespace characters are ignored.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   774
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   775
# The "DefinedDHEParameters" defines the custom group parameters, prime
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   776
# modulus p and base generator g, for a particular size of prime modulus p.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   777
# The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   778
# "DHEBaseGenerator" defines the hexadecimal base generator g of a group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   779
# parameter.  It is recommended to use safe primes for the custom group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   780
# parameters.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   781
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   782
# If this property is not defined or the value is empty, the underlying JSSE
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   783
# provider's default group parameter is used for each connection.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   784
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   785
# If the property value does not follow the grammar, or a particular group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   786
# parameter is not valid, the connection will fall back and use the
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   787
# underlying JSSE provider's default group parameter.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   788
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   789
# Note: This property is currently used by OpenJDK's JSSE implementation. It
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   790
# is not guaranteed to be examined and used by other implementations.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   791
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   792
# Example:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   793
#   jdk.tls.server.defaultDHEParameters=
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   794
#       { \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   795
#       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   796
#       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   797
#       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   798
#       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   799
#       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   800
#       FFFFFFFF FFFFFFFF, 2}
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   801
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   802
#
50768
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   803
# TLS key limits on symmetric cryptographic algorithms
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   804
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   805
# This security property sets limits on algorithms key usage in TLS 1.3.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   806
# When the amount of data encrypted exceeds the algorithm value listed below,
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   807
# a KeyUpdate message will trigger a key change.  This is for symmetric ciphers
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   808
# with TLS 1.3 only.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   809
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   810
# The syntax for the property is described below:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   811
#   KeyLimits:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   812
#       " KeyLimit { , KeyLimit } "
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   813
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   814
#   WeakKeyLimit:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   815
#       AlgorithmName Action Length
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   816
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   817
#   AlgorithmName:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   818
#       A full algorithm transformation.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   819
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   820
#   Action:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   821
#       KeyUpdate
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   822
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   823
#   Length:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   824
#       The amount of encrypted data in a session before the Action occurs
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   825
#       This value may be an integer value in bytes, or as a power of two, 2^29.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   826
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   827
#   KeyUpdate:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   828
#       The TLS 1.3 KeyUpdate handshake process begins when the Length amount
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   829
#       is fulfilled.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   830
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   831
# Note: This property is currently used by OpenJDK's JSSE implementation. It
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   832
# is not guaranteed to be examined and used by other implementations.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   833
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   834
jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   835
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   836
#
40565
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   837
# Cryptographic Jurisdiction Policy defaults
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   838
#
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   839
# Import and export control rules on cryptographic software vary from
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   840
# country to country.  By default, Java provides two different sets of
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   841
# cryptographic policy files[1]:
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   842
#
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   843
#     unlimited:  These policy files contain no restrictions on cryptographic
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   844
#                 strengths or algorithms
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   845
#
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   846
#     limited:    These policy files contain more restricted cryptographic
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   847
#                 strengths
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   848
#
48546
707438d2d171 8190229: Non-ASCII characters in java.security file after 8186093
wetmore
parents: 47216
diff changeset
   849
# The default setting is determined by the value of the "crypto.policy"
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   850
# Security property below. If your country or usage requires the
48546
707438d2d171 8190229: Non-ASCII characters in java.security file after 8186093
wetmore
parents: 47216
diff changeset
   851
# traditional restrictive policy, the "limited" Java cryptographic
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   852
# policy is still available and may be appropriate for your environment.
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   853
#
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   854
# If you have restrictions that do not fit either use case mentioned
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   855
# above, Java provides the capability to customize these policy files.
48546
707438d2d171 8190229: Non-ASCII characters in java.security file after 8186093
wetmore
parents: 47216
diff changeset
   856
# The "crypto.policy" security property points to a subdirectory
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   857
# within <java-home>/conf/security/policy/ which can be customized.
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   858
# Please see the <java-home>/conf/security/policy/README.txt file or consult
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   859
# the Java Security Guide/JCA documentation for more information.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   860
#
40565
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   861
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   862
# TO DETERMINE THE EXACT REQUIREMENTS.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   863
#
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   864
# [1] Please note that the JCE for Java SE, including the JCE framework,
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   865
# cryptographic policy files, and standard JCE providers provided with
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   866
# the Java SE, have been reviewed and approved for export as mass market
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   867
# encryption item by the US Bureau of Industry and Security.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   868
#
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   869
# Note: This property is currently used by the JDK Reference implementation.
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   870
# It is not guaranteed to be examined and used by other implementations.
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   871
#
40565
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   872
crypto.policy=crypto.policydir-tbd
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   873
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   874
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   875
# The policy for the XML Signature secure validation mode. The mode is
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   876
# enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   877
# true with the javax.xml.crypto.XMLCryptoContext.setProperty() method,
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   878
# or by running the code with a SecurityManager.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   879
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   880
#   Policy:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   881
#       Constraint {"," Constraint }
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   882
#   Constraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   883
#       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   884
#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   885
#   AlgConstraint
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   886
#       "disallowAlg" Uri
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   887
#   MaxTransformsConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   888
#       "maxTransforms" Integer
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   889
#   MaxReferencesConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   890
#       "maxReferences" Integer
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   891
#   ReferenceUriSchemeConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   892
#       "disallowReferenceUriSchemes" String { String }
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   893
#   KeySizeConstraint:
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   894
#       "minKeySize" KeyAlg Integer
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   895
#   OtherConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   896
#       "noDuplicateIds" | "noRetrievalMethodLoops"
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   897
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   898
# For AlgConstraint, Uri is the algorithm URI String that is not allowed.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   899
# See the XML Signature Recommendation for more information on algorithm
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   900
# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   901
# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   902
# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   903
# specified more than once, only the last entry is enforced.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   904
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   905
# Note: This property is currently used by the JDK Reference implementation. It
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   906
# is not guaranteed to be examined and used by other implementations.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   907
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   908
jdk.xml.dsig.secureValidationPolicy=\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   909
    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   910
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   911
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   912
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   913
    maxTransforms 5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   914
    maxReferences 30,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   915
    disallowReferenceUriSchemes file http https,\
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   916
    minKeySize RSA 1024,\
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   917
    minKeySize DSA 1024,\
49779
ade43608ac3d 8186032: Disable XML Signatures signed with EC keys less than 224 bits
mullan
parents: 48608
diff changeset
   918
    minKeySize EC 224,\
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   919
    noDuplicateIds,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   920
    noRetrievalMethodLoops
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   921
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   922
#
53304
9e968a576dd2 8202675: Replace process-wide terminology in serial filtering to be consistent
rriggs
parents: 52996
diff changeset
   923
# Serialization system-wide filter
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   924
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   925
# A filter, if configured, is used by java.io.ObjectInputStream during
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   926
# deserialization to check the contents of the stream.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   927
# A filter is configured as a sequence of patterns, each pattern is either
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   928
# matched against the name of a class in the stream or defines a limit.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   929
# Patterns are separated by ";" (semicolon).
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   930
# Whitespace is significant and is considered part of the pattern.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   931
#
49783
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
   932
# If the system property jdk.serialFilter is also specified, it supersedes
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
   933
# the security property value defined here.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
   934
#
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   935
# If a pattern includes a "=", it sets a limit.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   936
# If a limit appears more than once the last value is used.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   937
# Limits are checked before classes regardless of the order in the
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   938
# sequence of patterns.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   939
# If any of the limits are exceeded, the filter status is REJECTED.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   940
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   941
#   maxdepth=value - the maximum depth of a graph
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   942
#   maxrefs=value  - the maximum number of internal references
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   943
#   maxbytes=value - the maximum number of bytes in the input stream
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   944
#   maxarray=value - the maximum array length allowed
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   945
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   946
# Other patterns, from left to right, match the class or package name as
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   947
# returned from Class.getName.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   948
# If the class is an array type, the class or package to be matched is the
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   949
# element type.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   950
# Arrays of any number of dimensions are treated the same as the element type.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   951
# For example, a pattern of "!example.Foo", rejects creation of any instance or
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   952
# array of example.Foo.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   953
#
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   954
# If the pattern starts with "!", the status is REJECTED if the remaining
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   955
# pattern is matched; otherwise the status is ALLOWED if the pattern matches.
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   956
# If the pattern contains "/", the non-empty prefix up to the "/" is the
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   957
# module name;
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   958
#   if the module name matches the module name of the class then
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   959
#   the remaining pattern is matched with the class name.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   960
#   If there is no "/", the module name is not compared.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   961
# If the pattern ends with ".**" it matches any class in the package and all
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   962
# subpackages.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   963
# If the pattern ends with ".*" it matches any class in the package.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   964
# If the pattern ends with "*", it matches any class with the pattern as a
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   965
# prefix.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   966
# If the pattern is equal to the class name, it matches.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   967
# Otherwise, the status is UNDECIDED.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   968
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   969
#jdk.serialFilter=pattern;pattern
41580
cc479488428c 8155973: Tighten jar checks
ascarpino
parents: 41230
diff changeset
   970
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   971
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   972
# RMI Registry Serial Filter
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   973
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   974
# The filter pattern uses the same format as jdk.serialFilter.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   975
# This filter can override the builtin filter if additional types need to be
46160
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   976
# allowed or rejected from the RMI Registry or to decrease limits but not
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   977
# to increase limits.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   978
# If the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   979
#
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   980
# Each non-array type is allowed or rejected if it matches one of the patterns,
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   981
# evaluated from left to right, and is otherwise allowed. Arrays of any
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   982
# component type, including subarrays and arrays of primitives, are allowed.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   983
#
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   984
# Array construction of any component type, including subarrays and arrays of
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   985
# primitives, are allowed unless the length is greater than the maxarray limit.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   986
# The filter is applied to each array element.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   987
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   988
# Note: This property is currently used by the JDK Reference implementation.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   989
# It is not guaranteed to be examined and used by other implementations.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   990
#
46160
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   991
# The built-in filter allows subclasses of allowed classes and
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   992
# can approximately be represented as the pattern:
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   993
#
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   994
#sun.rmi.registry.registryFilter=\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   995
#    maxarray=1000000;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   996
#    maxdepth=20;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   997
#    java.lang.String;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   998
#    java.lang.Number;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
   999
#    java.lang.reflect.Proxy;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1000
#    java.rmi.Remote;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1001
#    sun.rmi.server.UnicastRef;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1002
#    sun.rmi.server.RMIClientSocketFactory;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1003
#    sun.rmi.server.RMIServerSocketFactory;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1004
#    java.rmi.activation.ActivationID;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1005
#    java.rmi.server.UID
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1006
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1007
# RMI Distributed Garbage Collector (DGC) Serial Filter
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1008
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1009
# The filter pattern uses the same format as jdk.serialFilter.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1010
# This filter can override the builtin filter if additional types need to be
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1011
# allowed or rejected from the RMI DGC.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1012
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1013
# Note: This property is currently used by the JDK Reference implementation.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1014
# It is not guaranteed to be examined and used by other implementations.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1015
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1016
# The builtin DGC filter can approximately be represented as the filter pattern:
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1017
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1018
#sun.rmi.transport.dgcFilter=\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1019
#    java.rmi.server.ObjID;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1020
#    java.rmi.server.UID;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1021
#    java.rmi.dgc.VMID;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1022
#    java.rmi.dgc.Lease;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1023
#    maxdepth=5;maxarray=10000
48554
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1024
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1025
# CORBA ORBIorTypeCheckRegistryFilter
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1026
# Type check enhancement for ORB::string_to_object processing
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1027
#
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1028
# An IOR type check filter, if configured, is used by an ORB during
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1029
# an ORB::string_to_object invocation to check the veracity of the type encoded
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1030
# in the ior string.
48554
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1031
#
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1032
# The filter pattern consists of a semi-colon separated list of class names.
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1033
# The configured list contains the binary class names of the IDL interface types
48554
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1034
# corresponding to the IDL stub class to be instantiated.
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1035
# As such, a filter specifies a list of IDL stub classes that will be
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1036
# allowed by an ORB when an ORB::string_to_object is invoked.
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1037
# It is used to specify a white list configuration of acceptable
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1038
# IDL stub types which may be contained in a stringified IOR
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1039
# parameter passed as input to an ORB::string_to_object method.
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1040
#
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1041
# Note: This property is currently used by the JDK Reference implementation.
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1042
# It is not guaranteed to be examined and used by other implementations.
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1043
#
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1044
#com.sun.CORBA.ORBIorTypeCheckRegistryFilter=binary_class_name;binary_class_name
49783
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1045
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1046
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1047
# JCEKS Encrypted Key Serial Filter
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1048
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1049
# This filter, if configured, is used by the JCEKS KeyStore during the
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1050
# deserialization of the encrypted Key object stored inside a key entry.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1051
# If not configured or the filter result is UNDECIDED (i.e. none of the patterns
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1052
# matches), the filter configured by jdk.serialFilter will be consulted.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1053
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1054
# If the system property jceks.key.serialFilter is also specified, it supersedes
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1055
# the security property value defined here.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1056
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1057
# The filter pattern uses the same format as jdk.serialFilter. The default
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1058
# pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1059
# and javax.crypto.spec.SecretKeySpec and rejects all the others.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1060
jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1061
  java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1062
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1063
#
52996
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1064
# PKCS12 KeyStore properties
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1065
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1066
# The following properties, if configured, are used by the PKCS12 KeyStore
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1067
# implementation during the creation of a new keystore. Several of the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1068
# properties may also be used when modifying an existing keystore. The
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1069
# properties can be overridden by a KeyStore API that specifies its own
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1070
# algorithms and parameters.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1071
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1072
# If an existing PKCS12 keystore is loaded and then stored, the algorithm and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1073
# parameter used to generate the existing Mac will be reused. If the existing
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1074
# keystore does not have a Mac, no Mac will be created while storing. If there
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1075
# is at least one certificate in the existing keystore, the algorithm and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1076
# parameters used to encrypt the last certificate in the existing keystore will
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1077
# be reused to encrypt all certificates while storing. If the last certificate
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1078
# in the existing keystore is not encrypted, all certificates will be stored
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1079
# unencrypted. If there is no certificate in the existing keystore, any newly
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1080
# added certificate will be encrypted (or stored unencrypted if algorithm
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1081
# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1082
# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1083
# and secret key(s) are not changed. Newly set private and secret key(s) will
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1084
# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1085
# "keystore.pkcs12.keyPbeIterationCount" values defined here.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1086
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1087
# In order to apply new algorithms and parameters to all entries in an
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1088
# existing keystore, one can create a new keystore and add entries in the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1089
# existing keystore into the new keystore. This can be achieved by calling the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1090
# "keytool -importkeystore" command.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1091
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1092
# If a system property of the same name is also specified, it supersedes the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1093
# security property value defined here.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1094
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1095
# If the property is set to an illegal value,
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1096
# an iteration count that is not a positive integer, or an unknown algorithm
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1097
# name, an exception will be thrown when the property is used.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1098
# If the property is not set or empty, a default value will be used.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1099
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1100
# Note: These properties are currently used by the JDK Reference implementation.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1101
# They are not guaranteed to be examined and used by other implementations.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1102
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1103
# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1104
# algorithm defined in the Cipher section of the Java Security Standard
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1105
# Algorithm Names Specification. When set to "NONE", the certificate
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1106
# is not encrypted. The default value is "PBEWithSHA1AndRC2_40".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1107
#keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1108
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1109
# The iteration count used by the PBE algorithm when encrypting a certificate.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1110
# This value must be a positive integer. The default value is 50000.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1111
#keystore.pkcs12.certPbeIterationCount = 50000
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1112
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1113
# The algorithm used to encrypt a private key or secret key. This can be
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1114
# any non-Hmac PBE algorithm defined in the Cipher section of the Java
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1115
# Security Standard Algorithm Names Specification. The value must not be "NONE".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1116
# The default value is "PBEWithSHA1AndDESede".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1117
#keystore.pkcs12.keyProtectionAlgorithm = PBEWithSHA1AndDESede
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1118
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1119
# The iteration count used by the PBE algorithm when encrypting a private key
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1120
# or a secret key. This value must be a positive integer. The default value
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1121
# is 50000.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1122
#keystore.pkcs12.keyPbeIterationCount = 50000
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1123
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1124
# The algorithm used to calculate the optional MacData at the end of a PKCS12
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1125
# file. This can be any HmacPBE algorithm defined in the Mac section of the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1126
# Java Security Standard Algorithm Names Specification. When set to "NONE",
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1127
# no Mac is generated. The default value is "HmacPBESHA1".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1128
#keystore.pkcs12.macAlgorithm = HmacPBESHA1
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1129
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1130
# The iteration count used by the MacData algorithm. This value must be a
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1131
# positive integer. The default value is 100000.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1132
#keystore.pkcs12.macIterationCount = 100000
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1133
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1134
#
51236
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1135
# Enhanced exception message information
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1136
#
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1137
# By default, exception messages should not include potentially sensitive
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1138
# information such as file names, host names, or port numbers. This property
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1139
# accepts one or more comma separated values, each of which represents a
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1140
# category of enhanced exception message information to enable. Values are
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1141
# case-insensitive. Leading and trailing whitespaces, surrounding each value,
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1142
# are ignored. Unknown values are ignored.
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1143
#
51356
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1144
# NOTE: Use caution before setting this property. Setting this property
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1145
# exposes sensitive information in Exceptions, which could, for example,
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1146
# propagate to untrusted code or be emitted in stack traces that are
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1147
# inadvertently disclosed and made accessible over a public network.
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1148
#
51236
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1149
# The categories are:
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1150
#
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1151
#  hostInfo - IOExceptions thrown by java.net.Socket and the socket types in the
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1152
#             java.nio.channels package will contain enhanced exception
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1153
#             message information
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1154
#
51879
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1155
#  jar      - enables more detailed information in the IOExceptions thrown
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1156
#             by classes in the java.util.jar package
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1157
#
51236
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1158
# The property setting in this file can be overridden by a system property of
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1159
# the same name, with the same syntax and possible values.
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1160
#
51879
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1161
#jdk.includeInExceptions=hostInfo,jar
52948
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1162
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1163
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1164
# Policies for distrusting Certificate Authorities (CAs).
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1165
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1166
# This is a comma separated value of one or more case-sensitive strings, each
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1167
# of which represents a policy for determining if a CA should be distrusted.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1168
# The supported values are:
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1169
#
53428
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1170
#   SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1171
#   root CA and issued after April 16, 2019 unless issued by one of the
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1172
#   following subordinate CAs which have a later distrust date:
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1173
#     1. Apple IST CA 2 - G1, SHA-256 fingerprint:
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1174
#        AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1175
#        Distrust after December 31, 2019.
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1176
#     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1177
#        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1178
#        Distrust after December 31, 2019.
52948
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1179
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1180
# Leading and trailing whitespace surrounding each value are ignored.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1181
# Unknown values are ignored. If the property is commented out or set to the
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1182
# empty String, no policies are enforced.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1183
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1184
# Note: This property is currently used by the JDK Reference implementation.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1185
# It is not guaranteed to be supported by other SE implementations. Also, this
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1186
# property does not override other security properties which can restrict
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1187
# certificates such as jdk.tls.disabledAlgorithms or
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1188
# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1189
# if this property is not enabled.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1190
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1191
jdk.security.caDistrustPolicies=SYMANTEC_TLS