RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v7]
Weijun Wang
weijun at openjdk.java.net
Fri Oct 16 02:34:19 UTC 2020
On Thu, 15 Oct 2020 02:03:13 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>>
>> signing time, jarsigner -directsign, and digest algorithm check
>
> src/java.base/share/classes/sun/security/pkcs/PKCS7.java line 818:
>
>> 816: DerOutputStream derSigAlg = new DerOutputStream();
>> 817: sigAlgID.derEncode(derSigAlg);
>> 818: derAlgs.writeImplicit((byte)0xA1, derSigAlg);
>
> Are you sure that this context specific tag value is implicit? In RFC 6211, some other ASN.1 definition uses IMPLICIT
> keyword after the [x] which seems to suggest that the default is explicit unless specified. Besides, the layman's guide
> sec2.3 also states "The keyword [class number] alone is the same as explicit tagging, except when the "module" in which
> the ASN.1 type is defined has implicit tagging by default." So, it seems that explicit tagging should be the default?
In the formal definition at https://tools.ietf.org/html/rfc6211#appendix-A, you can see `DEFINITIONS IMPLICIT TAGS`
covers from BEGIN to END. Those explicit IMPLICIT tags you see are CMS ASN.1 definitions, and it looks in its own RFC
at https://tools.ietf.org/html/rfc5652#section-12, IMPLICIT and EXPLICIT are always written out.
I can confirm both OpenSSL and BC use IMPLICIT.
-------------
PR: https://git.openjdk.java.net/jdk/pull/322
More information about the security-dev
mailing list