jpkg enhancements to create signed modules
Wang Weijun
Weijun.Wang at Sun.COM
Tue May 11 05:15:02 PDT 2010
Simple ones first.
ContentInfo:
HexDumpEncoder.encodeBuffer(*) is preferred.
Packager:
1. --nosign and --signer etc can be combinated quite freely. Is there an
illegal combination?
2. We used to specify NONE for PKCS #11 keystore name. Although it's not
recommended now, is it allowed?
3. What if user specifies a non-JKS type but hasn't provided keystore name?
4. The char[] returned by Password.readPassword() is not zeroed.
5. Do we have SHA256withDSA now?
6. We've added CRL into signed jars recently. Any plan for it in signed
modules? You might embed it in PKCS #7 block or create a supplementary
module section (Is this possible?)
ModuleFileFormat:
hashtype is hardcoded to SHA256?
Thanks
Max
------- Original message -------
> From: Vincent Ryan <vincent.x.ryan at oracle.com>
> To: jigsaw-dev at openjdk.java.net
> Sent: 11.5.'10, 0:46
>
> Hello,
>
> Please review these code changes to support the creation of signed
> modules:
>
> http://cr.openjdk.java.net/~vinnie/6951048/webrev.00/webrev/
>
> It adds the following new options to the jpkg tool:
>
> -S, --signer <ID> : module signer's identifier
> -k, --keystore <location> : module signer's keystore location
> -t, --storetype <type> : module signer's keystore type
> --nosign : do not sign the module
> --nopassword : do not prompt for a keystore password
>
> Appropriate default values are supported and keystore passwords may be
> supplied to jpkg by redirecting standard input.
>
>
> This is just one of a number of changes to support signed modules
> throughout
> jigsaw.
>
> Please send me your comments as I'm hoping to address any issues and
> integrate
> these changes by the end of this week.
>
> Thanks.
More information about the jigsaw-dev
mailing list