RFR 8044755: Add a test for algorithm constraints check in jarsigner
Xuelei Fan
xuelei.fan at oracle.com
Thu Jun 5 07:24:59 UTC 2014
On 6/5/2014 3:24 PM, Wang Weijun wrote:
>
> On Jun 4, 2014, at 16:26, Wang Weijun <weijun.wang at oracle.com> wrote:
>
>> Oh, I was just updating the webrev to
>>
>> http://cr.openjdk.java.net/~weijun/8044755/webrev.01/
>
> Are you OK with this 2nd version of webrev?
>
Ok.
Xuelei
> Thanks
> Max
>
>>
>> As we've just discussed offline, the reason the 2nd jarsigner call fails is a double weakness, not only the signer's key is 512 bit, but also signer's cert is signed by a 512 key (of CA).
>>
>> Therefore I update the test to use a weak signature alg -- MD2withRSA. This time I believe the weakness of CA's cert won't infect the its signature when signing signer.
>>
>> Thanks
>> Max
>>
>> On Jun 4, 2014, at 16:20, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>
>>> Looks fine to me.
>>>
>>> FYI, I'd like to remove the temporary files (a.jar, ks, etc) after a
>>> testing.
>>>
>>> Xuelei
>>>
>>> On 6/4/2014 2:21 PM, Wang Weijun wrote:
>>>> Please review a new test at
>>>>
>>>> http://cr.openjdk.java.net/~weijun/8044755/webrev.00/
>>>>
>>>> It makes sure the CertPath validation check in jarsigner matches the algorithm constraints check on key sizes.
>>>>
>>>> Thanks
>>>> Max
>>>>
>>>
>>
>
More information about the security-dev
mailing list