RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar

Wang Weijun weijun.wang at oracle.com
Wed Oct 19 23:16:40 UTC 2016 

> On Oct 20, 2016, at 4:13 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> * Main.java
> 
>  98     private static final DisabledAlgorithmConstraints SIGN_CHECK =
>  99             new DisabledAlgorithmConstraints(
> 100 DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
> 
> This should be changed to PROPERTY_JAR_DISABLED_ALGS now that the fix for 8167594 is in 9.

Yes.

> 
> * Resources.java
> 
> 150                 "The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner with the -verbose option for more details."},
> 
> Should this also have "WARNING:" at the beginning like the other 2 unsigned warning messages?

You suggested this some time ago:

   I think we should say "WARNING: Signature not parsable or verifiable. ..."

   Without the word "WARNING", the impact (to me) seems to get lost in the verbose output. The "WARNING" part is not needed if -verbose is not specified.


> 
> * JarUtils.java
> 
> 45      * a new jar entry will be created with the file name itself the content.
> 70      * with the file name itself the content.
> 
> These 2 lines would be more understandable if you changed "itself the content" to "itself as the content".

Yes.

> 
> * TimestampCheck.java
> 
> You will need to update this test based on the new MD5 restrictions added in 8167594.

Yes.

Thanks
Max

> 
> --Sean
> 
> On 10/19/2016 03:36 AM, Wang Weijun wrote:
>> Please review the code change at
>> 
>>   http://cr.openjdk.java.net/~weijun/8163304/webrev.01/
>> 
>> With this change, "jarsigner -verify -verbose" will print out how a jar was signed.
>> 
>> For example, a jar which was signed and timestamped with many weak algorithms will show
>> 
>> - Signed by "CN=old"
>>    Digest algorithm: MD2 (weak)
>>    Signature algorithm: MD2withRSA (weak), 2048-bit key
>>  Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016
>>    Timestamp digest algorithm: MD2 (weak)
>>    Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak)
>> 
>> WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
>> 
>>  jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024
>> 
>> Thanks
>> Max
>>

More information about the security-dev mailing list