[jdk8u-dev] RFR: 8269039: Disable SHA-1 Signed JARs [v2]
Martin Balao
mbalao at openjdk.org
Thu Nov 17 07:00:42 UTC 2022
On Wed, 16 Nov 2022 15:58:23 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
>> I'd like to backport this enhancement for parity with Oracle and the security roadmap [1]
>>
>> The patch is based on the OpenJDK11 backport [2]
>>
>> The changes are the following:
>>
>> 1. java.security.* files are changed on the base of java.security
>> 2. jdk/src/share/classes/sun/security/tools/jarsigner/Main.java : signJar method is merged manually because of differences in the JDK-8172404 backport.
>> 3. jdk/test/java/security/Security/signedfirst/DynStatic.java : modules dependency removed, changed path to utility classes
>> 4. jdk/test/sun/security/tools/jarsigner/Test4431684.java : changed library path. List.of() is not available in JDK8, so it is replaced with Arrays.asList()
>> 5. jdk/test/lib/security/SecurityUtils.java is updated to make removeFromDisabledAlgs method public. It is required by newly added test Test4431684.java
>> 6. jdk/test/sun/security/tools/jarsigner/DefaultOptions.java is skipped, it was introduced in JDK9 by JDK-8049834 as default_options.sh but never backported to JDK8
>> 7. JDK8 has jdk/test/sun/security/tools/jarsigner/diffend.sh test instead of jdk/test/sun/security/tools/jarsigner/DiffEnd.java. diffend.sh was not renamed to DiffEnd.java because of JDK-8180573 is not backported to JDK8. JDK-8180573 is a big refactoring and out of scope for this issue. diffend.sh updated accordingly - SHA1 replaced to SHA-256
>> 8. JDK8 has jdk/test/sun/security/tools/jarsigner/ec.sh test instead of jdk/test/sun/security/tools/jarsigner/EC.java. ec.sh was not renamed to EC.java because of JDK-8180573 is not backported to JDK8. JDK-8180573 is a big refactoring and out of scope for this issue. ec.sh has all required changes by JDK-8172404
>> 9. JDK8 has jdk/test/sun/security/tools/jarsigner/nameclash.sh test instead of jdk/test/sun/security/tools/jarsigner/NameClash.java. nameclash.sh was not renamed to NameClash.java because of JDK-8180573 is not backported to JDK8. JDK-8180573 is a big refactoring and out of scope for this issue. nameclash.sh has all required changes by JDK-8172404
>> 10. JDK8 has jdk/test/sun/security/tools/jarsigner/oldsig.sh test instead of jdk/test/sun/security/tools/jarsigner/OldSig.java. oldsig.sh was not renamed to OldSig.java because of JDK-8180573 is not backported to JDK8. JDK-8180573 is a big refactoring and out of scope for this issue. The changes in the oldsig.sh are not required because of JDK-8217375 is not backported to JDK8.
>> 11. jdk/test/sun/security/tools/jarsigner/OldSig.props is not backported as it is not used in the jdk/test/sun/security/tools/jarsigner/oldsig.sh
>>
>> All java/security/Security sun/security/tools regression tests passed
>>
>> [1] - https://www.java.com/en/jre-jdk-cryptoroadmap.html
>> [2] - https://github.com/openjdk/jdk11u-dev/commit/5a0824ba813ceda47847c9162c8a10bb0b8898e8
>
> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
>
> test fixes
I've verified that test `oldsig.sh` passes with and without SHA1. This is because even if a disabled algorithm is used for signing or if a disabled algorithm is found when verifying a signature, `jarsigner` returns `0`. While the jar is actually signed, the verification fails and the jar is considered unsigned. The test should do better in the assertion statement, for example by checking `sm ... B.class` in a verbose output. The test in later JDK releases has been fixed and the assertion statement improved.
@alexeybakhtin, my suggestion would be to backport the JDK-11 OldSig.java test to JDK-8. I agree with you that doing all the .sh -> .Java test conversions is out of the scope of this backport, but I would make an exception for the case discussed here because, otherwise, we would be having a broken/useless test in JDK-8. I'm also open consider adding a better assertion statement to the current .sh test. What do you think?
-------------
PR: https://git.openjdk.org/jdk8u-dev/pull/154
More information about the jdk8u-dev
mailing list