[jdk11u-dev] RFR: 8269039: Disable SHA-1 Signed JARs
Goetz Lindenmaier
goetz at openjdk.org
Mon Aug 1 09:42:44 UTC 2022
On Wed, 20 Jul 2022 07:44:55 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:
> src/java.base/share/conf/security/java.security
> Does not resolve because 11 mentions "include jdk.disabled.namedCurves"
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
> Some hunks did not apply because DISABLED_CHECK was renamed
> to JAR_DISABLED_CHECK in 17.
> Other hunks patch methods not in 11: checkWeakKey(), checkWeakAlg()
> as well as the calls to these methods.
>
> test/jdk/java/security/Security/signedfirst/Dyn.sh
> test/jdk/java/security/Security/signedfirst/Static.sh
> Deleting did not apply.
>
> test/jdk/java/util/jar/JarInputStream/signed.jar
> Patching this binary file failed. I just copied
> the file from 17.
>
> test/jdk/sun/security/tools/jarsigner/CheckSignerCertChain.java
> Patch skipped, test not in 11.
>
> test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
> Resolved. Checked output differed.
>
> test/lib/jdk/test/lib/security/SecurityUtils.java
> The change to this file was already backported.
>
> In addition, I adapted
> sun/security/tools/jarsigner/DefaultOptions.java
> sun/security/tools/jarsigner/NameClash.java
> sun/security/tools/jarsigner/EC.java
> according to
> "8172404: Tools should warn if weak algorithms are used before restricting them"
> which makes the tests pass.
Having double-checked with my colleagues I would like to push it as-is.
-------------
PR: https://git.openjdk.org/jdk11u-dev/pull/1244
More information about the jdk-updates-dev
mailing list