[jdk11u-dev] RFR: 8269039: Disable SHA-1 Signed JARs
Martin Balao
mbalao at openjdk.org
Fri Jul 29 01:54:55 UTC 2022
On Wed, 20 Jul 2022 07:44:55 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:
> src/java.base/share/conf/security/java.security
> Does not resolve because 11 mentions "include jdk.disabled.namedCurves"
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
> Some hunks did not apply because DISABLED_CHECK was renamed
> to JAR_DISABLED_CHECK in 17.
> Other hunks patch methods not in 11: checkWeakKey(), checkWeakAlg()
> as well as the calls to these methods.
>
> test/jdk/java/security/Security/signedfirst/Dyn.sh
> test/jdk/java/security/Security/signedfirst/Static.sh
> Deleting did not apply.
>
> test/jdk/java/util/jar/JarInputStream/signed.jar
> Patching this binary file failed. I just copied
> the file from 17.
>
> test/jdk/sun/security/tools/jarsigner/CheckSignerCertChain.java
> Patch skipped, test not in 11.
>
> test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
> Resolved. Checked output differed.
>
> test/lib/jdk/test/lib/security/SecurityUtils.java
> The change to this file was already backported.
>
> In addition, I adapted
> sun/security/tools/jarsigner/DefaultOptions.java
> sun/security/tools/jarsigner/NameClash.java
> sun/security/tools/jarsigner/EC.java
> according to
> "8172404: Tools should warn if weak algorithms are used before restricting them"
> which makes the tests pass.
Hi Goetz,
Thanks for proposing this backport.
Comments:
* src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
* Looks to me that the parameter 'CertPathConstraintsParameters cpcp' is added to the method printCert but not used. In 17u, this parameter is passed to checkWeakKey (introduced in 8259401), which has not been backported to 11u. I'd consider either removing it or backporting 8259401 too, which does not seem (at first glance) too complex. Give that this is a minor comment and that we are targeting 11.0.17, this suggestion won't be a blocker.
* test/jdk/java/security/Security/signedfirst/exp.jar
* I was comparing against 17u-dev and found that this file was not deleted there. The correct action is to delete it, as proposed in the 11u backport and in the original patch. When the test was a script, this file was used. Now that the test is in Java, it uses the test libs to create the JAR in run time. No harm but, technically, we should delete this file from 17u.
* Note: this comment also applies to the file test/jdk/java/security/Security/signedfirst/keystore.jks.
In the test/jdk/sun/security/tools/jarsigner directory, I've not found references to "SHA1" that are not in 17u. The changes for tests removed in later releases look good to me.
I've also checked that there are no regressions in the following test categories:
* test/jdk/java/security/Security/signedfirst
* test/jdk/sun/security/tools/jarsigner
In summary, the 11u backport looks good to me. Good job.
I've seen that the 17u backport links the original CSR. In the old days we used to have a CSR specific for the backport. Please check that with the 11u release maintainers.
Thanks,
Martin.-
--
[1] - https://github.com/openjdk/jdk11u-dev/pull/1244/commits/942e3c297b1e99799d1b8443a4871bc3c1997741#diff-7083af3b8473a092987afa0bbb4d1694664649534bac716f6b9cd3c3b9833219R1449
-------------
Marked as reviewed by mbalao (Reviewer).
PR: https://git.openjdk.org/jdk11u-dev/pull/1244
More information about the jdk-updates-dev
mailing list