JI-9013191
Ivan Gerasimov
ivan.gerasimov at oracle.com
Mon Jul 7 19:11:11 UTC 2014
Hi Robert!
I copied your update to the report and moved it into JDK project.
You should be able to access it now:
https://bugs.openjdk.java.net/browse/JDK-8049480
Sincerely yours,
Ivan
On 04.07.2014 12:30, Robert Gibson wrote:
> Hi,
> I'm the reporter of JI-9013191 and I just wanted to follow up with
> some more information, since I can't see or comment on the bug in the
> OpenJDK JIRA instance. Hope this is the right place.
> I'm having problems with JAR files signed and timestamped with JDK9 -
> they fail validation under JDK7u60. It looks like this is due to the
> fact that JDK9 timestamps by default using SHA-256 - but in the JDK 7u
> tree, AlgorithmId.java is missing a backport of changeset JDK-7180907
> which means that SignatureFileVerifier#verifyTimestamp fails since it
> is looking for an algorithm with the non-standard name SHA256 (without
> a hyphen).
> By the way, the bug report talks about Web Start, but the minimal
> reproducable case is much easier and doesn't involve Web Start:
> - create a jar with one file in it
> - sign and timestamp with JDK9 using default settings
> - verify with JDK7 -> verification failure "jar is unsigned.
> (signatures missing or not parsable)"
> Running the verification with -J-Djava.security.debug=jar gives
> jar: processEntry: processing block
> jar: processEntry caught: java.security.NoSuchAlgorithmException:
> SHA256 MessageDigest not available
> jar: done with meta!
> jar: nothing to verify!
> Hope that helps,
> Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140707/bc3338f0/attachment.htm>
More information about the security-dev
mailing list