Code review request: 7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes

Weijun Wang weijun.wang at oracle.com
Wed Jul 11 18:42:30 PDT 2012


Someone else can review the 7u6 part? I need two reviewers.

Thanks
Max

On 07/06/2012 02:44 PM, Xuelei Fan wrote:
> On 7/6/2012 1:03 PM, Weijun Wang wrote:
>> Hi All
>>
>> I have two fixes for this bug:
>>
>> For 7u6: http://cr.openjdk.java.net/~weijun/7180907/7u/webrev.00/
>>
> Looks fine to me, except a very minor copyright date: you may want to
> use 2012 for SignerInfo.java.
>
>> This simply makes the name recognizable. It's safe and I don't want
>> anything broken in 7u6.
>>
>> Thanks
>> Max
>>
>> [1]
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html
>>
>>
>>
>> -------- Original Message --------
>> === *Description*
>> ============================================================
>> SHORT SUMMARY:
>> If a signature block (.RSA, a PKCS#7 object) contains authenticated
>> attributes
>> and uses a SHA-256 digest, verification will fail. The digest
>> algorithm is
>> stored in the PKCS7 using the correct OID (2.16.840.1.101.3.4.2.1) but
>> sun.security.x509.AlgorithmId maps this back to an algorithm with name
>> "SHA256". This is not a valid MessageDigest name - the correct version is
>> SHA-256.
>>
>> The debug output from:
>> jarsigner -J-Djava.security.debug=all -verbose -verify i3.jar
>> debug.txt and i3.jar available here:
>> ftp://bugftp.us.oracle.com/upload/bug_13/bug13941476
>> INDICATORS:
>> COUNTER INDICATORS:
>> TRIGGERS:
>> KNOWN WORKAROUND:
>>
>> PRESENT SINCE:
>> N/A
>> HOW TO VERIFY:
>> Run attached test case
>> NOTES FOR SE:
>> None
>> REGRESSION:
>>
>




More information about the security-dev mailing list