RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA
Alan Bateman
alanb at openjdk.java.net
Sun Oct 4 08:44:38 UTC 2020
On Wed, 23 Sep 2020 14:41:59 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Major points in CSR at https://bugs.openjdk.java.net/browse/JDK-8245274:
>
> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
>
> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a signed JAR) are reused for new signature
> algorithms
>
> - A new JarSigner property "directsign"
>
> - Updating the jarsigner tool doc
>
> Major code changes:
>
> - Always use the signature algorithm directly as SignerInfo::signatureAlgorithm. We used to use the encryption algorithm
> there like RSA, DSA, and EC. Now it's always SHA1withRSA or RSASSA-PSS.
>
> - Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
>
> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
>
> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>
> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
>
> - Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
Changes requested by alanb (Reviewer).
test/lib/jdk/test/lib/util/JarUtils.java line 90:
> 88: String name = toJarEntryName(entry);
> 89: jos.putNextEntry(new JarEntry(name));
> 90: if (Files.exists(dir.resolve(entry))) {
This is test infrastructure that we use in several areas and changing it to allow file paths to files that don't exist
be problematic. Is there any reason why the jarsigner can't create an empty or dummy file to put into the JAR file?
-------------
PR: https://git.openjdk.java.net/jdk/pull/322
More information about the security-dev
mailing list