jpkg enhancements to create signed modules

Vincent Ryan vincent.x.ryan at oracle.com
Tue May 11 07:09:16 PDT 2010 

Thanks for your comments Max.

On 11/05/2010 13:15, Wang Weijun wrote:
> Simple ones first.
> 
> ContentInfo:
> HexDumpEncoder.encodeBuffer(*) is preferred.

Done.


> 
> Packager:
> 1. --nosign and --signer etc can be combinated quite freely. Is there an
> illegal combination?

Now it throws an exception when --nosign is supplied with any of --signer
--keystore --storetype.


> 2. We used to specify NONE for PKCS #11 keystore name. Although it's not
> recommended now, is it allowed?

Now supported.


> 3. What if user specifies a non-JKS type but hasn't provided keystore name?

That's allowed, for example, PKCS11 and Windows-MY


> 4. The char[] returned by Password.readPassword() is not zeroed.

Done.


> 5. Do we have SHA256withDSA now?

That's a problem. Will investigate.


> 6. We've added CRL into signed jars recently. Any plan for it in signed
> modules? You might embed it in PKCS #7 block or create a supplementary
> module section (Is this possible?)

No plans to support this yet.


> 
> ModuleFileFormat:
> hashtype is hardcoded to SHA256?

Yes.


> 
> Thanks
> Max
> 
> 
> ------- Original message -------
>> From: Vincent Ryan <vincent.x.ryan at oracle.com>
>> To: jigsaw-dev at openjdk.java.net
>> Sent: 11.5.'10,  0:46
>>
>> Hello,
>>
>> Please review these code changes to support the creation of signed
>> modules:
>>
>>   http://cr.openjdk.java.net/~vinnie/6951048/webrev.00/webrev/
>>
>> It adds the following new options to the jpkg tool:
>>
>>   -S, --signer  <ID>         : module signer's identifier
>>   -k, --keystore <location>  : module signer's keystore location
>>   -t, --storetype <type>     : module signer's keystore type
>>   --nosign                   : do not sign the module
>>   --nopassword               : do not prompt for a keystore password
>>
>> Appropriate default values are supported and keystore passwords may be
>> supplied to jpkg by redirecting standard input.
>>
>>
>> This is just one of a number of changes to support signed modules
>> throughout
>> jigsaw.
>>
>> Please send me your comments as I'm hoping to address any issues and
>> integrate
>> these changes by the end of this week.
>>
>> Thanks.
>

More information about the jigsaw-dev mailing list