From d0891a2ffca7bc5f40f7770728ea035fbf6caa70 Mon Sep 17 00:00:00 2001
From: Xue-Lei Andrew Fan <xuelei@openjdk.org>
Date: Thu, 27 Oct 2016 23:49:38 +0000
Subject: [PATCH] 8168822: Document that algorithm restrictions do not apply to
 trusted anchors

Reviewed-by: weijun, jnimeh, mullan
---
 jdk/src/java.base/share/conf/security/java.security | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security
index 966f9ba027e..a521dde7ebb 100644
--- a/jdk/src/java.base/share/conf/security/java.security
+++ b/jdk/src/java.base/share/conf/security/java.security
@@ -645,6 +645,9 @@ krb5.kdc.bad.policy = tryLast
 # before larger keysize constraints of the same algorithm.  For example:
 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
 #
+# Note: The algorithm restrictions do not apply to trust anchors or
+# self-signed certificates.
+#
 # Note: This property is currently used by Oracle's PKIX implementation. It
 # is not guaranteed to be examined and used by other implementations.
 #
@@ -714,6 +717,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 # See the specification of "jdk.certpath.disabledAlgorithms" for the
 # syntax of the disabled algorithm string.
 #
+# Note: The algorithm restrictions do not apply to trust anchors or
+# self-signed certificates.
+#
 # Note: This property is currently used by Oracle's JSSE implementation.
 # It is not guaranteed to be examined and used by other implementations.
 #