RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v7]
Weijun Wang
weijun at openjdk.java.net
Fri Oct 16 04:14:11 UTC 2020
On Fri, 16 Oct 2020 02:34:35 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/pkcs/SignerInfo.java line 549:
>>
>>> 547: return encAlg;
>>> 548: default:
>>> 549: String digAlg = digAlgId.getName().replace("-", "");
>>
>> This may be incorrect if the digest algorithm is in the SHA3 family. Maybe we should check and apply this conversion
>> only when digest algorithm starts with "SHA-".
>
> Good suggestion. I'll also try some tests.
In fact, since now I directly write the signature algorithm into the `SignerInfo.digestEncryptionAlgorithmId` field,
the code above is not used at all. The `makeSigAlg` method directly returns the `encAlgId` argument if it has "with"
inside.
I'll fix it anyway. I've confirmed that if I still write only the key algorithm there (Ex: "EC") then the verification
process will see a problem without your suggested change.
-------------
PR: https://git.openjdk.java.net/jdk/pull/322
More information about the security-dev
mailing list