[8u] RFR: 8172404: Tools should warn if weak algorithms are used before restricting them
Severin Gehwolf
sgehwolf at redhat.com
Thu Feb 4 19:18:47 UTC 2021
Hi Andrew,
Thanks for the review!
On Wed, 2021-02-03 at 18:28 +0000, Andrew Hughes wrote:
> Code looks good. Just a couple of typographical issues:
>
> 1. In jarsigner/Main.java, a newline has gone missing in the changes
> there:
>
> 11u:
>
> + checkWeakSign(sigalg, SIG_PRIMITIVE_SET, false);
> +
> + checkWeakSign(privateKey);
>
> 8u:
>
> + checkWeakSign(sigalg, SIG_PRIMITIVE_SET, false);
> + checkWeakSign(privateKey);
Thanks. Fixed locally.
> 2. The test/sun/security/tools/keytool/WeakAlg.java changes
> look quite different when comparing the 11u & 8u patches. Can
> you confirm the patched files are the same (or close enough)?
Yes, this is what I've used to arrive at the result. Looking at the JDK
11 code. Here is a diff (seems close enough to me):
https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8172404/jdk8/02/WeakAlg.java.jdk8-jdk11.diff
> No need for a new webrev just for the correction in #1 if #2 is not an
> issue.
It doesn't seem to be.
Thanks,
Severin
More information about the jdk8u-dev
mailing list