[jdk11u-dev] RFR: 8269039: Disable SHA-1 Signed JARs

[Goetz Lindenmaier]

On Wed, 20 Jul 2022 07:44:55 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:

> src/java.base/share/conf/security/java.security
> Does not resolve because 11 mentions "include jdk.disabled.namedCurves"
> 
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
> Some hunks did not apply because DISABLED_CHECK was renamed
> to JAR_DISABLED_CHECK in 17.
> Other hunks patch methods not in 11: checkWeakKey(), checkWeakAlg()
> as well as the calls to these methods.
> 
> test/jdk/java/security/Security/signedfirst/Dyn.sh
> test/jdk/java/security/Security/signedfirst/Static.sh
> Deleting did not apply.
> 
> test/jdk/java/util/jar/JarInputStream/signed.jar
> Patching this binary file failed. I just copied
> the file from 17.
> 
> test/jdk/sun/security/tools/jarsigner/CheckSignerCertChain.java
> Patch skipped, test not in 11.
> 
> test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
> Resolved. Checked output differed.
> 
> test/lib/jdk/test/lib/security/SecurityUtils.java
> The change to this file was already backported.
> 
> In addition, I adapted 
> sun/security/tools/jarsigner/DefaultOptions.java
> sun/security/tools/jarsigner/NameClash.java
> sun/security/tools/jarsigner/EC.java
> according to 
>  "8172404: Tools should warn if weak algorithms are used before restricting them"
> which makes the tests pass.

Hi Martin,
I filed 8291595: [17u] Delete files missed in backport of 8269039 
Also, I had a look at 8259401. It can be backported clean and passes our testing. But it comes with a release note about the warning, and there is no such note for 11. So I think we should rather not backport this change. So should I remove the argument?
On the other side, eventual follow up backports apply better if I keep it as-is, and this should not harm performance as it is only called for printing.

-------------

PR: https://git.openjdk.org/jdk11u-dev/pull/1244