[8u] RFR: 8172404: Tools should warn if weak algorithms are used before restricting them

Severin Gehwolf sgehwolf at redhat.com
Thu Feb 4 19:18:47 UTC 2021


Hi Andrew,

Thanks for the review!

On Wed, 2021-02-03 at 18:28 +0000, Andrew Hughes wrote:
> Code looks good. Just a couple of typographical issues:
> 
> 1. In jarsigner/Main.java, a newline has gone missing in the changes
> there:
> 
> 11u:
> 
> +        checkWeakSign(sigalg, SIG_PRIMITIVE_SET, false);
> +
> +        checkWeakSign(privateKey);
> 
> 8u:
> 
> +        checkWeakSign(sigalg, SIG_PRIMITIVE_SET, false);
> +        checkWeakSign(privateKey);

Thanks. Fixed locally.

> 2. The test/sun/security/tools/keytool/WeakAlg.java changes
> look quite different when comparing the 11u & 8u patches. Can
> you confirm the patched files are the same (or close enough)?

Yes, this is what I've used to arrive at the result. Looking at the JDK
11 code. Here is a diff (seems close enough to me):
https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8172404/jdk8/02/WeakAlg.java.jdk8-jdk11.diff

> No need for a new webrev just for the correction in #1 if #2 is not an
> issue.

It doesn't seem to be.

Thanks,
Severin



More information about the jdk8u-dev mailing list