[9] RFR: 8168882: keytool doesn't print certificate info if disabled algorithm was used for signing a jar

Artem Smotrakov artem.smotrakov at oracle.com
Thu Nov 3 00:27:23 UTC 2016 

Hi Max,

Please see inline.


On 11/01/2016 11:59 PM, Wang Weijun wrote:
> Main.java:
>
> The warning (and the subsequent empty line) should be printed into System.err.
>
> Resources.java:
>
> "This tool accepts any algorithm" is a little confusing (sorry that I originally suggested it). Maybe "This tool does not attempt to verify a signed jar file, please run \"jarsigner -verify\" if you want to."
Sure, I'll update the message.
>
> Also, ever since the 1st time hard coded strings are changed into dot-connected resource keys, newly added keys do not necessarily use the exact same string. Make it simple so next time if the value needs to be updated you don't need to change the key.
Agree, I was thinking about shorter key, but then noticed that most of 
keys look like messages. I'll make the key shorter.
>
> Test:
>
> - You can also add -Duser.language=en and -Duser.country=US to keytool.
Makes sense to me, will do.
>
> - With my recent update to JarUtils.createJar(), there is no need to create the "test" file.
Right. I'll remove it, however creating a file would make it a bit 
clearer to me.

Thank you for review Max, please take a look at updated webrev:

http://cr.openjdk.java.net/~asmotrak/8168882/webrev.01/

By the way, I just noticed that we have another version of JarUtils.java 
which was added by Alan 7 month ago

http://hg.openjdk.java.net/jdk9/dev/jdk/log/1396fb6d0279/test/lib/testlibrary/JarUtils.java

Artem
>
> Everything else looks fine.
>
> Thanks
> Max
>
>
>> On Nov 2, 2016, at 7:35 AM, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>>
>> Hello,
>>
>> Please review this small update for keytool.
>>
>> "keytool -printcert -jarfile" doesn't work with jars which were signed with algorithms listed in "jdk.jar.disabledAlgorithms" security property.
>>
>> The patch below resets "jdk.jar.disabledAlgorithms" security property before reading a jar file, and prints a warning.
>>
>> I also re-wrote readjar.sh test, and added SecurityTools class with a couple of re-usable methods for jarsigner and keytool (those methods are based on methods from TimestampCheck.java).
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8168882
>> Webrev: http://cr.openjdk.java.net/~asmotrak/8168882/webrev.00/
>>
>> Artem

More information about the security-dev mailing list