[9] RFR: 8168882: keytool doesn't print certificate info if disabled algorithm was used for signing a jar
Artem Smotrakov
artem.smotrakov at oracle.com
Tue Nov 8 01:59:19 UTC 2016
Sean, Max,
Please take a look at
http://cr.openjdk.java.net/~asmotrak/8168882/webrev.03/
It doesn't print a warning anymore, and reset the security property only
if -jarfile specified. I also updated a couple of tests to check if
"-printcert" works fine.
Artem
On 11/03/2016 05:47 PM, Artem Smotrakov wrote:
> Thank you for review Sean.
>
> I'll remove the warning then. And I'll update it to reset the security
> property only if a jar file has been specified.
>
> Let me also check how "-printcert -file ..." and "-printcert
> -sslserver" work.
>
> Artem
>
>
> On 11/03/2016 07:27 AM, Wang Weijun wrote:
>> I agree with Sean.
>>
>> --Max
>>
>>> On Nov 3, 2016, at 10:00 PM, Sean Mullan <sean.mullan at oracle.com>
>>> wrote:
>>>
>>> You should only unset the jdk.jar.disabledAlgorithms property if a
>>> jarfile has been specified.
>>>
>>> Also, you are printing the warning message for all usages of the
>>> -printcert option, -ssl, etc, which is not correct.
>>>
>>> But I don't really think the warning message is necessary. The docs
>>> for the -printcert option are pretty clear that it simply extracts
>>> the certificate and prints it. If we are going to put a warning in
>>> for signed JARs, then arguably we should put in a more general,
>>> simple warning in for all usages of this option to say that the
>>> certificate, etc is not verified, ex:
>>>
>>> "WARNING: The -printcert option does not verify the certificate."
>>>
>>> But again, I don't think this is strictly necessary.
>>>
>>> Thanks,
>>> Sean
>
More information about the security-dev
mailing list