RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
Sean Mullan
sean.mullan at oracle.com
Wed Oct 19 20:13:24 UTC 2016
* Main.java
98 private static final DisabledAlgorithmConstraints SIGN_CHECK =
99 new DisabledAlgorithmConstraints(
100
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
This should be changed to PROPERTY_JAR_DISABLED_ALGS now that the fix
for 8167594 is in 9.
* Resources.java
150 "The jar will be treated as unsigned, because it is
signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner
with the -verbose option for more details."},
Should this also have "WARNING:" at the beginning like the other 2
unsigned warning messages?
* JarUtils.java
45 * a new jar entry will be created with the file name itself the
content.
70 * with the file name itself the content.
These 2 lines would be more understandable if you changed "itself the
content" to "itself as the content".
* TimestampCheck.java
You will need to update this test based on the new MD5 restrictions
added in 8167594.
--Sean
On 10/19/2016 03:36 AM, Wang Weijun wrote:
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8163304/webrev.01/
>
> With this change, "jarsigner -verify -verbose" will print out how a jar was signed.
>
> For example, a jar which was signed and timestamped with many weak algorithms will show
>
> - Signed by "CN=old"
> Digest algorithm: MD2 (weak)
> Signature algorithm: MD2withRSA (weak), 2048-bit key
> Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016
> Timestamp digest algorithm: MD2 (weak)
> Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak)
>
> WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
>
> jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024
>
> Thanks
> Max
>
More information about the security-dev
mailing list