From ff79e8c1d764f12d974d2bab0934e94ee738980b Mon Sep 17 00:00:00 2001
From: Anthony Scarpino <ascarpino@openjdk.org>
Date: Wed, 15 Feb 2017 12:55:20 -0800
Subject: [PATCH] 8174849: Change SHA1 certpath restrictions

Reviewed-by: mullan
---
 .../sun/security/provider/certpath/AlgorithmChecker.java      | 2 +-
 jdk/src/java.base/share/conf/security/java.security           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
index a12484d0e20..0be627b84ac 100644
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
@@ -276,7 +276,7 @@ public final class AlgorithmChecker extends PKIXCertPathChecker {
 
         AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
         PublicKey currPubKey = cert.getPublicKey();
-        String currSigAlg = x509Cert.getSigAlgName();
+        String currSigAlg = ((X509Certificate)cert).getSigAlgName();
 
         // Check the signature algorithm and parameters against constraints.
         if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,
diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security
index e2fde354bd4..5f2b472ffd3 100644
--- a/jdk/src/java.base/share/conf/security/java.security
+++ b/jdk/src/java.base/share/conf/security/java.security
@@ -598,8 +598,8 @@ krb5.kdc.bad.policy = tryLast
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
+    DSA keySize < 1024, EC keySize < 224
 
 #
 # Algorithm restrictions for signed JAR files