RFR 8130132: jarsigner should emit warning if weak algorithms or keysizes are used
Wang Weijun
weijun.wang at oracle.com
Wed Nov 18 06:23:29 UTC 2015
Hi All
Please take a look at
http://cr.openjdk.java.net/~weijun/8130132/webrev.00/
These new warnings will be added to jarsigner:
The signer's certificate is self-signed.
This jar contains entries whose signer certificate is self-signed.
The %1$s algorithm used as %2$s is considered a security risk.
For the last one, %1#s is the algorithm name (For example, MD5), %2#s is the option name which is one of "-digestalg", "-sigalg", and "-tsadigestalg".
Also, two existing warning messages
The signer's certificate chain is not validated.
This jar contains entries whose certificate chain is not validated.
will be updated to
The signer's certificate chain is not validated. Reason: %s
This jar contains entries whose certificate chain is not validated. Reason: %s
where %s will be the getLocalizedMessage() value of the exception caught in certificate chain validation.
Thanks
Max
More information about the security-dev
mailing list