RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v7]

Valerie Peng valeriep at openjdk.java.net
Fri Oct 16 00:02:15 UTC 2020 

On Wed, 14 Oct 2020 03:51:23 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Major points in CSR at https://bugs.openjdk.java.net/browse/JDK-8245274:
>> 
>> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
>> 
>> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a signed JAR) are reused for new signature
>>   algorithms
>> 
>> - A new JarSigner property "directsign"
>> 
>> - Updating the jarsigner tool doc
>> 
>> Major code changes:
>> 
>> - Always use the signature algorithm directly as SignerInfo::signatureAlgorithm. We used to use the encryption algorithm
>>   there like RSA, DSA, and EC. Now it's always SHA1withRSA or RSASSA-PSS.
>> 
>> - Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
>> 
>> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
>> 
>> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>> 
>> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
>> 
>> - Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   signing time, jarsigner -directsign, and digest algorithm check

src/java.base/share/classes/sun/security/pkcs/PKCS7.java line 172:

> 170:         throws IOException
> 171:     {
> 172:         ContentInfo block = new ContentInfo(derin, oldStyle);

With this change, i.e. using a local variable instead of setting the field 'contentInfo', the 'contentInfo' field seems
to left unset when contentType equals to ContentInfo.NETSCAPE_CERT_SEQUENCE_OID?

src/java.base/share/classes/sun/security/pkcs/PKCS7.java line 818:

> 816:             DerOutputStream derSigAlg = new DerOutputStream();
> 817:             sigAlgID.derEncode(derSigAlg);
> 818:             derAlgs.writeImplicit((byte)0xA1, derSigAlg);

Are you sure that this context specific tag value is implicit? In RFC 6211, some other ASN.1 definition uses IMPLICIT
keyword after the [x] which seems to suggest that the default is explicit unless specified. Besides, the layman's guide
sec2.3 also states "The keyword [class number] alone is the same as explicit tagging, except when the "module" in which
the ASN.1 type is defined has implicit tagging by default." So, it seems that explicit tagging should be the default?

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java line 508:

> 506:      * name and the encryption algorithm name inside a PKCS7 SignerInfo.
> 507:      *
> 508:      * For old style PKCS7 files where we use RSA, DSA, EC asencAlgId

asencAlgId => as encAlgId

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java line 549:

> 547:                 return encAlg;
> 548:             default:
> 549:                 String digAlg = digAlgId.getName().replace("-", "");

This may be incorrect if the digest algorithm is in the SHA3 family. Maybe we should check and apply this conversion
only when digest algorithm starts with "SHA-".

src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java line 858:

> 856:         byte[] content = baos.toByteArray();
> 857:
> 858:         // Use new method is directSign is false or it's a modern

is => if

-------------

PR: https://git.openjdk.java.net/jdk/pull/322

More information about the security-dev mailing list