RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v7]
Valerie Peng
valeriep at openjdk.java.net
Fri Oct 16 02:18:14 UTC 2020
On Wed, 14 Oct 2020 03:51:23 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Major points in CSR at https://bugs.openjdk.java.net/browse/JDK-8245274:
>>
>> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
>>
>> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a signed JAR) are reused for new signature
>> algorithms
>>
>> - A new JarSigner property "directsign"
>>
>> - Updating the jarsigner tool doc
>>
>> Major code changes:
>>
>> - Always use the signature algorithm directly as SignerInfo::signatureAlgorithm. We used to use the encryption algorithm
>> there like RSA, DSA, and EC. Now it's always SHA1withRSA or RSASSA-PSS.
>>
>> - Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
>>
>> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
>>
>> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>>
>> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
>>
>> - Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> signing time, jarsigner -directsign, and digest algorithm check
test/lib/jdk/test/lib/security/timestamp/TsaSigner.java line 221:
> 219: new X500Name(issuerName),
> 220: signerEntry.cert.getSerialNumber(),
> 221: AlgorithmId.get(SignatureUtil.extractDigestAlgFromDwithE(sigAlgo)),
So, sigAlgo would never be RSASSA-PSS, EDDSA, ED25519, or ED448?
-------------
PR: https://git.openjdk.java.net/jdk/pull/322
More information about the security-dev
mailing list