JDK 9 and JCE code signing (where and sha1WithDSA 1024?)
Bernd Eckenfels
ecki at zusammenkunft.net
Sun Nov 20 19:57:39 UTC 2016
Hello,
how will the JCE Provider signing in Java 9 work? Are the jmod files
signed (I dont see a signature in them in the Windows EA builds)?
On the BouncyCastle Crypto mailing list there has been a discussion
that currently JCE code signing (of Jars) is done with a SHA1 chained
1024 bit DSA signature.
https://www.bouncycastle.org/devmailarchive/msg14905.html
Will that change to actually allow SHA-1 to be
turned off? Does the JAR-path checking security attribute also apply to
any (possible) JMOD signatures?
Oracle's planned changes do not include as far as I can see any changes
here. I dont mind much that JCE policy is enforced by an older
algorithm, but it makes it impossible to globally turn off SHA1 and DSA
(1024).
Gruss
Bernd
More information about the security-dev
mailing list