RFR 8242068: Signed JAR support for RSASSA-PSS and EdDSA
Sean Mullan
sean.mullan at oracle.com
Fri May 22 20:44:08 UTC 2020
On 5/22/20 10:30 AM, Weijun Wang wrote:
> Please take a review at
>
> CSR : https://bugs.openjdk.java.net/browse/JDK-8245274
> webrev : http://cr.openjdk.java.net/~weijun/8242068/webrev.00/
>
> Major points in CSR:
>
> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
In the CSR, it says "In fact, the new -sigalg option values are quite
useless and do not need to specified."
What happens if you specify anything other than the defaults?
In the Supported Algorithms, what does keysize: (empty) mean? Do you
mean "any size" as in the current table for DSA?
> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a signed JAR) are reused for new signature algorithms
I think the CSR should have the proposed changes to the JAR
specification instead of just saying it will be described. Also, we
never defined the "EC" type, so I think this CSR is a good opportunity
to also fix that and add that extension to the JAR spec.
--Sean
> major code changes:
>
> - Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
>
> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
>
> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>
> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
>
> - Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
>
> Next I'll do some basic interop tests with openssl and BouncyCastle.
>
> Thanks,
> Max
>
More information about the security-dev
mailing list