RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA

Weijun Wang weijun at openjdk.java.net
Sun Oct 4 13:34:38 UTC 2020


On Sun, 4 Oct 2020 08:41:28 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> Major points in CSR at https://bugs.openjdk.java.net/browse/JDK-8245274:
>> 
>> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
>> 
>> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a signed JAR) are reused for new signature
>>   algorithms
>> 
>> - A new JarSigner property "directsign"
>> 
>> - Updating the jarsigner tool doc
>> 
>> Major code changes:
>> 
>> - Always use the signature algorithm directly as SignerInfo::signatureAlgorithm. We used to use the encryption algorithm
>>   there like RSA, DSA, and EC. Now it's always SHA1withRSA or RSASSA-PSS.
>> 
>> - Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
>> 
>> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
>> 
>> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>> 
>> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
>> 
>> - Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
>
> test/lib/jdk/test/lib/util/JarUtils.java line 90:
> 
>> 88:                 String name = toJarEntryName(entry);
>> 89:                 jos.putNextEntry(new JarEntry(name));
>> 90:                 if (Files.exists(dir.resolve(entry))) {
> 
> This is test infrastructure that we use in several areas and changing it to allow file paths to files that don't exist
> be problematic. Is there any reason why the jarsigner can't create an empty or dummy file to put into the JAR file?

Sorry, I'll revert the change and create files myself. I just thought any existing call to this method should have the
file already created there, but it could be a problem if the creation is not trivial and might fail.

-------------

PR: https://git.openjdk.java.net/jdk/pull/322



More information about the security-dev mailing list