[jdk11u-dev] RFR: 8269039: Disable SHA-1 Signed JARs
Goetz Lindenmaier
goetz at openjdk.org
Wed Jul 20 07:54:41 UTC 2022
src/java.base/share/conf/security/java.security
Does not resolve because 11 mentions "include jdk.disabled.namedCurves"
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
Some hunks did not apply because DISABLED_CHECK was renamed
to JAR_DISABLED_CHECK in 17.
Other hunks patch methods not in 11: checkWeakKey(), checkWeakAlg()
as well as the calls to these methods.
test/jdk/java/security/Security/signedfirst/Dyn.sh
test/jdk/java/security/Security/signedfirst/Static.sh
Deleting did not apply.
test/jdk/java/util/jar/JarInputStream/signed.jar
Patching this binary file failed. I just copied
the file from 17.
test/jdk/sun/security/tools/jarsigner/CheckSignerCertChain.java
Patch skipped, test not in 11.
test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
Resolved. Checked output differed.
test/lib/jdk/test/lib/security/SecurityUtils.java
The change to this file was already backported.
In addition, I adapted
sun/security/tools/jarsigner/DefaultOptions.java
sun/security/tools/jarsigner/NameClash.java
sun/security/tools/jarsigner/EC.java
according to
"8172404: Tools should warn if weak algorithms are used before restricting them"
which makes the tests pass.
-------------
Commit messages:
- Backport 6d91a3eb7bd1e1403cfb67f7eb8ce06d7e08e7a7
Changes: https://git.openjdk.org/jdk11u-dev/pull/1244/files
Webrev: https://webrevs.openjdk.org/?repo=jdk11u-dev&pr=1244&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8269039
Stats: 638 lines in 28 files changed: 300 ins; 214 del; 124 mod
Patch: https://git.openjdk.org/jdk11u-dev/pull/1244.diff
Fetch: git fetch https://git.openjdk.org/jdk11u-dev pull/1244/head:pull/1244
PR: https://git.openjdk.org/jdk11u-dev/pull/1244
More information about the jdk-updates-dev
mailing list