RFR: 8255494: PKCS7 should use digest algorithm to verify the signature

Valerie Peng valeriep at openjdk.java.net
Fri Oct 30 23:02:59 UTC 2020


On Thu, 29 Oct 2020 18:57:45 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> This is a regression made by [JDK-8242068](https://bugs.openjdk.java.net/browse/JDK-8242068). When the digest algorithm is not the same as the hash part of the signature algorithm, we used to combine the digest algorithm with the key part of the signature algorithm into a new signature algorithm and use it when generating a signature. The previous code change uses the signature algorithm in the SignerInfo directly. This bugfix will revert to the old behavior.
>
> Looks good!

Looks good to me.

-------------

PR: https://git.openjdk.java.net/jdk/pull/916



More information about the security-dev mailing list