The shipped default java.security was updated in 11.0.18 we need to update our puppetised copy: (I've trimmed known local modifications)
Some of new settings may only be introduced in 11.0.18, so needs some consideration to first move to .18 across the fleet before bumping the template
--- /etc/java-11-openjdk/security/java.security 2022-05-20 07:28:54.136623795 +0000 +++ /etc/java-11-openjdk/security/java.security.dpkg-new 2023-01-27 14:52:45.000000000 +0000 @@ -1,9 +1,4 @@ -# NOTE: This file is managed by Puppet. # -# The following WMF-specific changes are made compared to the -# upstream file: -# jdk.security.legacyAlgorithms: Add DSA, SHA1, SHA224 - # This is the "master security properties file". # # An alternate java.security properties file may be specified @@ -435,21 +428,22 @@ # Policy for failed Kerberos KDC lookups: # # When a KDC is unavailable (network error, service failure, etc), it is -# put inside a blacklist and accessed less often for future requests. The +# put inside a secondary list and accessed less often for future requests. The # value (case-insensitive) for this policy can be: # # tryLast -# KDCs in the blacklist are always tried after those not on the list. +# KDCs in the secondary list are always tried after those not on the list. # # tryLess[:max_retries,timeout] -# KDCs in the blacklist are still tried by their order in the configuration, -# but with smaller max_retries and timeout values. max_retries and timeout -# are optional numerical parameters (default 1 and 5000, which means once -# and 5 seconds). Please notes that if any of the values defined here is -# more than what is defined in krb5.conf, it will be ignored. +# KDCs in the secondary list are still tried by their order in the +# configuration, but with smaller max_retries and timeout values. +# max_retries and timeout are optional numerical parameters (default 1 and +# 5000, which means once and 5 seconds). Please note that if any of the +# values defined here are more than what is defined in krb5.conf, it will be +# ignored. # -# Whenever a KDC is detected as available, it is removed from the blacklist. -# The blacklist is reset when krb5.conf is reloaded. You can add +# Whenever a KDC is detected as available, it is removed from the secondary +# list. The secondary list is reset when krb5.conf is reloaded. You can add # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is # reloaded whenever a JAAS authentication is attempted. # @@ -560,7 +554,7 @@ # can be included in the disabledAlgorithms properties. These properties are # to help manage common actions easier across multiple disabledAlgorithm # properties. -# There is one defined security property: jdk.disabled.NamedCurves +# There is one defined security property: jdk.disabled.namedCurves # See the property for more specific details. # # @@ -635,8 +629,9 @@ # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, SHA224, DSA, SHA1 jdkCA & usage TLSServer, \ - RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, \ +jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ + SHA1 usage SignedJAR & denyAfter 2019-01-01, \ include jdk.disabled.namedCurves # @@ -656,7 +651,7 @@ # implementation. It is not guaranteed to be examined and used by other # implementations. -jdk.security.legacyAlgorithms=SHA1, SHA224, DSA, \ +jdk.security.legacyAlgorithms=SHA1, \ RSA keySize < 2048, DSA keySize < 2048 # @@ -701,7 +696,8 @@ # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. # jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ - DSA keySize < 1024, include jdk.disabled.namedCurves + DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \ + include jdk.disabled.namedCurves # # Algorithm restrictions for Secure Socket Layer/Transport Layer Security @@ -1132,6 +1128,77 @@ java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!* # +# PKCS12 KeyStore properties +# +# The following properties, if configured, are used by the PKCS12 KeyStore +# implementation during the creation of a new keystore. Several of the +# properties may also be used when modifying an existing keystore. The +# properties can be overridden by a KeyStore API that specifies its own +# algorithms and parameters. +# +# If an existing PKCS12 keystore is loaded and then stored, the algorithm and +# parameter used to generate the existing Mac will be reused. If the existing +# keystore does not have a Mac, no Mac will be created while storing. If there +# is at least one certificate in the existing keystore, the algorithm and +# parameters used to encrypt the last certificate in the existing keystore will +# be reused to encrypt all certificates while storing. If the last certificate +# in the existing keystore is not encrypted, all certificates will be stored +# unencrypted. If there is no certificate in the existing keystore, any newly +# added certificate will be encrypted (or stored unencrypted if algorithm +# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and +# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private +# and secret key(s) are not changed. Newly set private and secret key(s) will +# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and +# "keystore.pkcs12.keyPbeIterationCount" values defined here. +# +# In order to apply new algorithms and parameters to all entries in an +# existing keystore, one can create a new keystore and add entries in the +# existing keystore into the new keystore. This can be achieved by calling the +# "keytool -importkeystore" command. +# +# If a system property of the same name is also specified, it supersedes the +# security property value defined here. +# +# If the property is set to an illegal value, +# an iteration count that is not a positive integer, or an unknown algorithm +# name, an exception will be thrown when the property is used. +# If the property is not set or empty, a default value will be used. +# +# Note: These properties are currently used by the JDK Reference implementation. +# They are not guaranteed to be examined and used by other implementations. + +# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE +# algorithm defined in the Cipher section of the Java Security Standard +# Algorithm Names Specification. When set to "NONE", the certificate +# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256". +#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 + +# The iteration count used by the PBE algorithm when encrypting a certificate. +# This value must be a positive integer. The default value is 10000. +#keystore.pkcs12.certPbeIterationCount = 10000 + +# The algorithm used to encrypt a private key or secret key. This can be +# any non-Hmac PBE algorithm defined in the Cipher section of the Java +# Security Standard Algorithm Names Specification. The value must not be "NONE". +# The default value is "PBEWithHmacSHA256AndAES_256". +#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 + +# The iteration count used by the PBE algorithm when encrypting a private key +# or a secret key. This value must be a positive integer. The default value +# is 10000. +#keystore.pkcs12.keyPbeIterationCount = 10000 + +# The algorithm used to calculate the optional MacData at the end of a PKCS12 +# file. This can be any HmacPBE algorithm defined in the Mac section of the +# Java Security Standard Algorithm Names Specification. When set to "NONE", +# no Mac is generated. The default value is "HmacPBESHA256". +#keystore.pkcs12.macAlgorithm = HmacPBESHA256 + +# The iteration count used by the MacData algorithm. This value must be a +# positive integer. The default value is 10000. +#keystore.pkcs12.macIterationCount = 10000 + +# # Enhanced exception message information # # By default, exception messages should not include potentially sensitive @@ -1236,7 +1303,6 @@ # There are 3 possible values: # # no-impersonate - Ignore this configuration entry, and always act as - # the owner of the TGT (if it exists). # # try-impersonate - Try impersonation when this configuration entry exists. @@ -1267,69 +1333,34 @@ # #jdk.security.allowNonCaAnchor=true +# JNDI Object Factories Filter # -# PKCS12 KeyStore properties -# -# The following properties, if configured, are used by the PKCS12 KeyStore -# implementation during the creation of a new keystore. Several of the -# properties may also be used when modifying an existing keystore. The -# properties can be overridden by a KeyStore API that specifies its own -# algorithms and parameters. -# -# If an existing PKCS12 keystore is loaded and then stored, the algorithm and -# parameter used to generate the existing Mac will be reused. If the existing -# keystore does not have a Mac, no Mac will be created while storing. If there -# is at least one certificate in the existing keystore, the algorithm and -# parameters used to encrypt the last certificate in the existing keystore will -# be reused to encrypt all certificates while storing. If the last certificate -# in the existing keystore is not encrypted, all certificates will be stored -# unencrypted. If there is no certificate in the existing keystore, any newly -# added certificate will be encrypted (or stored unencrypted if algorithm -# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and -# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private -# and secret key(s) are not changed. Newly set private and secret key(s) will -# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and -# "keystore.pkcs12.keyPbeIterationCount" values defined here. +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. # -# In order to apply new algorithms and parameters to all entries in an -# existing keystore, one can create a new keystore and add entries in the -# existing keystore into the new keystore. This can be achieved by calling the -# "keytool -importkeystore" command. +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. # -# If a system property of the same name is also specified, it supersedes the -# security property value defined here. +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". # -# If the property is set to an illegal value, -# an iteration count that is not a positive integer, or an unknown algorithm -# name, an exception will be thrown when the property is used. -# If the property is not set or empty, a default value will be used. +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* + +# +# The default Character set name (java.nio.charset.Charset.forName()) +# for converting TLS ALPN values between byte arrays and Strings. +# Prior versions of the JDK may use UTF-8 as the default charset. If +# you experience interoperability issues, setting this property to UTF-8 +# may help. # -# Note: These properties are currently used by the JDK Reference implementation. -# They are not guaranteed to be examined and used by other implementations. - -# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE -# algorithm defined in the Cipher section of the Java Security Standard -# Algorithm Names Specification. When set to "NONE", the certificate -# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256". -#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 - -# The iteration count used by the PBE algorithm when encrypting a certificate. -# This value must be a positive integer. The default value is 10000. -#keystore.pkcs12.certPbeIterationCount = 10000 - -# The algorithm used to encrypt a private key or secret key. This can be -# any non-Hmac PBE algorithm defined in the Cipher section of the Java -# Security Standard Algorithm Names Specification. The value must not be "NONE". -# The default value is "PBEWithHmacSHA256AndAES_256". -#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 - -# The iteration count used by the PBE algorithm when encrypting a private key -# or a secret key. This value must be a positive integer. The default value -# is 10000. -#keystore.pkcs12.keyPbeIterationCount = 10000 - -# The algorithm used to calculate the optional MacData at the end of a PKCS12 -# file. This can be any HmacPBE algorithm defined in the Mac section of the -# Java Security Standard Algorithm Names Specification. When set to "NONE", -# no Mac is generated. The default value is "HmacPBESHA1". -#keystore.pkcs12.macAlgorithm = HmacPBESHA1 +# jdk.tls.alpnCharset=UTF-8 +jdk.tls.alpnCharset=ISO_8859_1