JI-9013191

[Robert Gibson]

Hi,
I'm the reporter of JI-9013191 and I just wanted to follow up with some more information, since I can't see or comment on the bug in the OpenJDK JIRA instance. Hope this is the right place.

I'm having problems with JAR files signed and timestamped with JDK9 - they fail validation under JDK7u60.  It looks like this is due to the fact that JDK9 timestamps by default using SHA-256 - but in the JDK 7u tree, AlgorithmId.java is missing a backport of changeset JDK-7180907 which means that SignatureFileVerifier#verifyTimestamp fails since it is looking for an algorithm with the non-standard name SHA256 (without a hyphen).

By the way, the bug report talks about Web Start, but the minimal reproducable case is much easier and doesn't involve Web Start:
- create a jar with one file in it
- sign and timestamp with JDK9 using default settings
- verify with JDK7 -> verification failure "jar is unsigned. (signatures missing or not parsable)"

Running the verification with -J-Djava.security.debug=jar gives 
jar: processEntry: processing block
jar: processEntry caught: java.security.NoSuchAlgorithmException: SHA256 MessageDigest not available
jar: done with meta!
jar: nothing to verify!

Hope that helps,
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140704/dc48fb43/attachment.htm>