[9] RFR: 8168882: keytool doesn't print certificate info if disabled algorithm was used for signing a jar

Wang Weijun weijun.wang at oracle.com
Tue Nov 8 02:45:18 UTC 2016


Hi Artem

Change looks fine, but you can add a comment in keytool/Main on why you want to set that security property.

BTW, you mentioned keytool -printcert -sslserver the other time. Is there any strange thing happening if the SSL server is using weak cert/cipher?

Thanks
Max

> On Nov 8, 2016, at 9:59 AM, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
> 
> Sean, Max,
> 
> Please take a look at http://cr.openjdk.java.net/~asmotrak/8168882/webrev.03/
> 
> It doesn't print a warning anymore, and reset the security property only if -jarfile specified. I also updated a couple of tests to check if "-printcert" works fine.
> 
> Artem
> 
> 
> On 11/03/2016 05:47 PM, Artem Smotrakov wrote:
>> Thank you for review Sean.
>> 
>> I'll remove the warning then. And I'll update it to reset the security property only if a jar file has been specified.
>> 
>> Let me also check how "-printcert -file ..." and "-printcert -sslserver" work.
>> 
>> Artem
>> 
>> 
>> On 11/03/2016 07:27 AM, Wang Weijun wrote:
>>> I agree with Sean.
>>> 
>>> --Max
>>> 
>>>> On Nov 3, 2016, at 10:00 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>> 
>>>> You should only unset the jdk.jar.disabledAlgorithms property if a jarfile has been specified.
>>>> 
>>>> Also, you are printing the warning message for all usages of the -printcert option, -ssl, etc, which is not correct.
>>>> 
>>>> But I don't really think the warning message is necessary. The docs for the -printcert option are pretty clear that it simply extracts the certificate and prints it. If we are going to put a warning in for signed JARs, then arguably we should put in a more general, simple warning in for all usages of this option to say that the certificate, etc is not verified, ex:
>>>> 
>>>> "WARNING: The -printcert option does not verify the certificate."
>>>> 
>>>> But again, I don't think this is strictly necessary.
>>>> 
>>>> Thanks,
>>>> Sean
>> 
> 




More information about the security-dev mailing list