@@ -753,6 +753,54 @@ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
753753 ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \
754754 ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature
755755
756+ #
757+ # Algorithm restrictions for Java Crypto API services
758+ #
759+ # In some environments, certain algorithms may be undesirable for certain
760+ # cryptographic services. For example, "MD2" is generally no longer considered
761+ # to be a secure hash algorithm. This section describes the mechanism for
762+ # disabling algorithms at the JCA/JCE level based on service name and algorithm
763+ # name.
764+ #
765+ # If a system property of the same name is also specified, it supersedes the
766+ # security property value defined here.
767+ #
768+ # The syntax of the disabled services string is described as follows:
769+ # "DisabledService {, DisabledService}"
770+ #
771+ # DisabledService:
772+ # Service.AlgorithmName
773+ #
774+ # Service: (one of the following, more services may be added later)
775+ # Cipher | KeyStore | MessageDigest | Signature
776+ #
777+ # AlgorithmName:
778+ # (see below)
779+ #
780+ # The "AlgorithmName" is the standard algorithm name of the disabled
781+ # service. See the Java Security Standard Algorithm Names Specification
782+ # for information about Standard Algorithm Names. Matching is
783+ # performed using a case-insensitive exact matching rule. For Cipher service,
784+ # its algorithm is the transformation string.
785+ #
786+ # Note: If the property value contains entries with invalid syntax or
787+ # unsupported services at the time of checking, an ExceptionInInitializerError
788+ # with a cause of IllegalArgumentException will be thrown.
789+ #
790+ # Note: The restriction is applied in the various getInstance(...) methods
791+ # of the supported Service classes, i.e. Cipher, KeyStore, MessageDigest,
792+ # and Signature. If the algorithm is disabled, a NoSuchAlgorithmException will
793+ # be thrown by the getInstance methods of Cipher, MessageDigest, and Signature
794+ # and a KeyStoreException by the getInstance methods of KeyStore.
795+ #
796+ # Note: This property is currently used by the JDK Reference implementation.
797+ # It is not guaranteed to be examined and used by other implementations.
798+ #
799+ # Example:
800+ # jdk.crypto.disabledAlgorithms=Cipher.RSA/ECB/PKCS1Padding, MessageDigest.MD2
801+ #
802+ #jdk.crypto.disabledAlgorithms=
803+
756804#
757805# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
758806# processing in JSSE implementation.
@@ -1300,6 +1348,9 @@ jdk.sasl.disabledMechanisms=
13001348# CAMERFIRMA_TLS : Distrust TLS Server certificates anchored by
13011349# a Camerfirma root CA and issued after April 15, 2025.
13021350#
1351+ # CHUNGHWA_TLS : Distrust TLS Server certificates anchored by
1352+ # a Chunghwa root CA and issued after March 17, 2026.
1353+ #
13031354# Leading and trailing whitespace surrounding each value are ignored.
13041355# Unknown values are ignored. If the property is commented out or set to the
13051356# empty String, no policies are enforced.
@@ -1311,7 +1362,8 @@ jdk.sasl.disabledMechanisms=
13111362# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
13121363# if this property is not enabled.
13131364#
1314- jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS,CAMERFIRMA_TLS
1365+ jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS,CAMERFIRMA_TLS,\
1366+ CHUNGHWA_TLS
13151367
13161368#
13171369# FilePermission path canonicalization
0 commit comments