RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v7]

Weijun Wang weijun at openjdk.java.net
Fri Oct 16 04:14:11 UTC 2020


On Fri, 16 Oct 2020 02:34:35 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/pkcs/SignerInfo.java line 549:
>> 
>>> 547:                 return encAlg;
>>> 548:             default:
>>> 549:                 String digAlg = digAlgId.getName().replace("-", "");
>> 
>> This may be incorrect if the digest algorithm is in the SHA3 family. Maybe we should check and apply this conversion
>> only when digest algorithm starts with "SHA-".
>
> Good suggestion. I'll also try some tests.

In fact, since now I directly write the signature algorithm into the `SignerInfo.digestEncryptionAlgorithmId` field,
the code above is not used at all. The `makeSigAlg` method directly returns the `encAlgId` argument if it has "with"
inside.

I'll fix it anyway. I've confirmed that if I still write only the key algorithm there (Ex: "EC") then the verification
process will see a problem without your suggested change.

-------------

PR: https://git.openjdk.java.net/jdk/pull/322



More information about the security-dev mailing list