[9] RFR: 8168882: keytool doesn't print certificate info if disabled algorithm was used for signing a jar
Wang Weijun
weijun.wang at oracle.com
Wed Nov 2 06:59:31 UTC 2016
Main.java:
The warning (and the subsequent empty line) should be printed into System.err.
Resources.java:
"This tool accepts any algorithm" is a little confusing (sorry that I originally suggested it). Maybe "This tool does not attempt to verify a signed jar file, please run \"jarsigner -verify\" if you want to."
Also, ever since the 1st time hard coded strings are changed into dot-connected resource keys, newly added keys do not necessarily use the exact same string. Make it simple so next time if the value needs to be updated you don't need to change the key.
Test:
- You can also add -Duser.language=en and -Duser.country=US to keytool.
- With my recent update to JarUtils.createJar(), there is no need to create the "test" file.
Everything else looks fine.
Thanks
Max
> On Nov 2, 2016, at 7:35 AM, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>
> Hello,
>
> Please review this small update for keytool.
>
> "keytool -printcert -jarfile" doesn't work with jars which were signed with algorithms listed in "jdk.jar.disabledAlgorithms" security property.
>
> The patch below resets "jdk.jar.disabledAlgorithms" security property before reading a jar file, and prints a warning.
>
> I also re-wrote readjar.sh test, and added SecurityTools class with a couple of re-usable methods for jarsigner and keytool (those methods are based on methods from TimestampCheck.java).
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8168882
> Webrev: http://cr.openjdk.java.net/~asmotrak/8168882/webrev.00/
>
> Artem
More information about the security-dev
mailing list