RFR: 8278851: Correct signer logic for jars signed with multiple digestalgs
Sean Mullan
mullan at openjdk.java.net
Wed Jan 12 22:04:55 UTC 2022
If a JAR is signed with multiple digest algorithms and one of the digest algorithms is disabled, `ManifestEntryVerifier.verify()` was incorrectly returning null indicating that the jar entry has no signers.
This fixes the issue such that an entry is considered signed if at least one of the digest algorithms is not disabled and the digest match passes. This makes the fix consistent with how multiple digest algorithms are handled in the Signature File. This also fixes an issue in the `ManifestEntryVerifier.getParams()` method in which it was incorrectly checking the algorithm constraints against all signers of a JAR when it should check them only against the signers of the entry that is being verified.
An additional cache has also been added to avoid checking if the digest algorithm is disabled more than once for entries signed by the same set of signers.
-------------
Commit messages:
- Initial revision.
Changes: https://git.openjdk.java.net/jdk/pull/7056/files
Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=7056&range=00
Issue: https://bugs.openjdk.java.net/browse/JDK-8278851
Stats: 263 lines in 3 files changed: 213 ins; 20 del; 30 mod
Patch: https://git.openjdk.java.net/jdk/pull/7056.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/7056/head:pull/7056
PR: https://git.openjdk.java.net/jdk/pull/7056
More information about the core-libs-dev
mailing list