RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v7]

Valerie Peng valeriep at openjdk.java.net
Wed Oct 14 19:03:13 UTC 2020 

On Wed, 14 Oct 2020 03:51:23 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Major points in CSR at https://bugs.openjdk.java.net/browse/JDK-8245274:
>> 
>> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
>> 
>> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a signed JAR) are reused for new signature
>>   algorithms
>> 
>> - A new JarSigner property "directsign"
>> 
>> - Updating the jarsigner tool doc
>> 
>> Major code changes:
>> 
>> - Always use the signature algorithm directly as SignerInfo::signatureAlgorithm. We used to use the encryption algorithm
>>   there like RSA, DSA, and EC. Now it's always SHA1withRSA or RSASSA-PSS.
>> 
>> - Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
>> 
>> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
>> 
>> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>> 
>> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
>> 
>> - Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   signing time, jarsigner -directsign, and digest algorithm check

src/java.base/share/classes/sun/security/util/SignatureUtil.java line 210:

> 208:                         new DerValue((byte) 2, new byte[]{2, 0})); // int 512
> 209:             } catch (IOException | NoSuchAlgorithmException e) {
> 210:                 throw new AssertionError("Shoudl not happen", e);

Shoudl => Should

src/java.base/share/classes/sun/security/util/SignatureUtil.java line 215:

> 213:     }
> 214:     /**
> 215:      * Determines the digestEncryptionAlgorithmId in PKCS& SignerInfo.

&=>7

src/java.base/share/classes/sun/security/util/SignatureUtil.java line 217:

> 215:      * Determines the digestEncryptionAlgorithmId in PKCS& SignerInfo.
> 216:      *
> 217:      * @param signer Signature object that tells you RSASA-PSS params

RSASA=>RSASSA

src/java.base/share/classes/sun/security/util/SignatureUtil.java line 221:

> 219:      * @param privateKey key tells you EdDSA params
> 220:      * @param directsign Ed448 uses different digest algs depending on this
> 221:      * @return the digest alg

alg => algid

src/java.base/share/classes/sun/security/util/SignatureUtil.java line 218:

> 216:      *
> 217:      * @param signer Signature object that tells you RSASA-PSS params
> 218:      * @param sigalg Signature algorithm tells you who with who

who with who?

-------------

PR: https://git.openjdk.java.net/jdk/pull/322

More information about the security-dev mailing list