RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
Wang Weijun
weijun.wang at oracle.com
Wed Oct 19 07:36:42 UTC 2016
Please review the code change at
http://cr.openjdk.java.net/~weijun/8163304/webrev.01/
With this change, "jarsigner -verify -verbose" will print out how a jar was signed.
For example, a jar which was signed and timestamped with many weak algorithms will show
- Signed by "CN=old"
Digest algorithm: MD2 (weak)
Signature algorithm: MD2withRSA (weak), 2048-bit key
Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016
Timestamp digest algorithm: MD2 (weak)
Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak)
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024
Thanks
Max
More information about the security-dev
mailing list