Code review request: 7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes
Vincent Ryan
vincent.x.ryan at oracle.com
Thu Jul 12 09:41:40 UTC 2012
Your fix looks good Max.
Thanks.
On 07/12/12 02:42 AM, Weijun Wang wrote:
> Someone else can review the 7u6 part? I need two reviewers.
>
> Thanks
> Max
>
> On 07/06/2012 02:44 PM, Xuelei Fan wrote:
>> On 7/6/2012 1:03 PM, Weijun Wang wrote:
>>> Hi All
>>>
>>> I have two fixes for this bug:
>>>
>>> For 7u6: http://cr.openjdk.java.net/~weijun/7180907/7u/webrev.00/
>>>
>> Looks fine to me, except a very minor copyright date: you may want to
>> use 2012 for SignerInfo.java.
>>
>>> This simply makes the name recognizable. It's safe and I don't want
>>> anything broken in 7u6.
>>>
>>> Thanks
>>> Max
>>>
>>> [1]
>>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html
>>>
>>>
>>>
>>>
>>> -------- Original Message --------
>>> === *Description*
>>> ============================================================
>>> SHORT SUMMARY:
>>> If a signature block (.RSA, a PKCS#7 object) contains authenticated
>>> attributes
>>> and uses a SHA-256 digest, verification will fail. The digest
>>> algorithm is
>>> stored in the PKCS7 using the correct OID (2.16.840.1.101.3.4.2.1) but
>>> sun.security.x509.AlgorithmId maps this back to an algorithm with name
>>> "SHA256". This is not a valid MessageDigest name - the correct
>>> version is
>>> SHA-256.
>>>
>>> The debug output from:
>>> jarsigner -J-Djava.security.debug=all -verbose -verify i3.jar
>>> debug.txt and i3.jar available here:
>>> ftp://bugftp.us.oracle.com/upload/bug_13/bug13941476
>>> INDICATORS:
>>> COUNTER INDICATORS:
>>> TRIGGERS:
>>> KNOWN WORKAROUND:
>>>
>>> PRESENT SINCE:
>>> N/A
>>> HOW TO VERIFY:
>>> Run attached test case
>>> NOTES FOR SE:
>>> None
>>> REGRESSION:
>>>
>>
>
More information about the security-dev
mailing list