[10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
Sean Mullan
sean.mullan at oracle.com
Tue Aug 8 13:17:35 UTC 2017
Ok, I got it now. The method name "withWeak" threw me off a bit.
Fix looks good to me.
--Sean
On 8/8/17 9:00 AM, Weijun Wang wrote:
>
>> On Aug 8, 2017, at 8:22 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> I don't think we should warn at all if the keysize cannot be
>> determined or is inaccessible. The corresponding algorithm constraints
>> checks don't restrict keys whose size cannot be determined, so keytool
>> and jarsigner should be consistent.
>
> This code change is not related to weak warnings. For jarsigner, it's
> the signing history:
>
>> - Signed by "CN=a"
>> Digest algorithm: SHA-256
>> Signature algorithm: SHA256withECDSA, -1-bit key
>
> For keytool, it's the keytool -list -v output:
>
>> Alias name: a
>> ...
>> Signature algorithm name: SHA256withECDSA
>> Subject Public Key Algorithm: -1-bit EC key
>> Version: 3
>
> In fact, whenever the key size appears in a weak warning, as you said,
> it's always a positive value that fails a constraint check. This is why
> I said I haven't touched those KeyUtil.getSize() outputs.
>
> --Max
>
>>
>> --Sean
>>
>> On 8/8/17 1:49 AM, Weijun Wang wrote:
>>> Please review this trivial fix at
>>> http://cr.openjdk.java.net/~weijun/8185934/webrev.00/
>>> KeyUtil.getSize() are also called elsewhere when they key is weak,
>>> where key length is not -1.
>>> Noreg-trivial.
>>> Thanks
>>> Max
>
More information about the security-dev
mailing list