[9] RFR: 8168882: keytool doesn't print certificate info if disabled algorithm was used for signing a jar
Artem Smotrakov
artem.smotrakov at oracle.com
Tue Nov 8 03:09:08 UTC 2016
Here is final version (I hope)
http://cr.openjdk.java.net/~asmotrak/8168882/webrev.04/
Artem
On 11/07/2016 06:50 PM, Artem Smotrakov wrote:
> Hi Max,
>
> Sure, I'll add a comment which explains why keytool resets that
> security property.
>
> I didn't notice any strange thing happening if SSL server uses weak
> algorithms. Please see updated PrintSSL.java which now uses MD5withRSA.
>
> Artem
>
>
> On 11/07/2016 06:45 PM, Wang Weijun wrote:
>> Hi Artem
>>
>> Change looks fine, but you can add a comment in keytool/Main on why
>> you want to set that security property.
>>
>> BTW, you mentioned keytool -printcert -sslserver the other time. Is
>> there any strange thing happening if the SSL server is using weak
>> cert/cipher?
>>
>> Thanks
>> Max
>>
>>> On Nov 8, 2016, at 9:59 AM, Artem Smotrakov
>>> <artem.smotrakov at oracle.com> wrote:
>>>
>>> Sean, Max,
>>>
>>> Please take a look at
>>> http://cr.openjdk.java.net/~asmotrak/8168882/webrev.03/
>>>
>>> It doesn't print a warning anymore, and reset the security property
>>> only if -jarfile specified. I also updated a couple of tests to
>>> check if "-printcert" works fine.
>>>
>>> Artem
>>>
>>>
>>> On 11/03/2016 05:47 PM, Artem Smotrakov wrote:
>>>> Thank you for review Sean.
>>>>
>>>> I'll remove the warning then. And I'll update it to reset the
>>>> security property only if a jar file has been specified.
>>>>
>>>> Let me also check how "-printcert -file ..." and "-printcert
>>>> -sslserver" work.
>>>>
>>>> Artem
>>>>
>>>>
>>>> On 11/03/2016 07:27 AM, Wang Weijun wrote:
>>>>> I agree with Sean.
>>>>>
>>>>> --Max
>>>>>
>>>>>> On Nov 3, 2016, at 10:00 PM, Sean Mullan <sean.mullan at oracle.com>
>>>>>> wrote:
>>>>>>
>>>>>> You should only unset the jdk.jar.disabledAlgorithms property if
>>>>>> a jarfile has been specified.
>>>>>>
>>>>>> Also, you are printing the warning message for all usages of the
>>>>>> -printcert option, -ssl, etc, which is not correct.
>>>>>>
>>>>>> But I don't really think the warning message is necessary. The
>>>>>> docs for the -printcert option are pretty clear that it simply
>>>>>> extracts the certificate and prints it. If we are going to put a
>>>>>> warning in for signed JARs, then arguably we should put in a more
>>>>>> general, simple warning in for all usages of this option to say
>>>>>> that the certificate, etc is not verified, ex:
>>>>>>
>>>>>> "WARNING: The -printcert option does not verify the certificate."
>>>>>>
>>>>>> But again, I don't think this is strictly necessary.
>>>>>>
>>>>>> Thanks,
>>>>>> Sean
>
More information about the security-dev
mailing list