RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si…
Sean Mullan
mullan at openjdk.java.net
Tue Jan 12 21:58:24 UTC 2021
On Tue, 12 Jan 2021 03:34:00 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> The jarsigner tool currently provides warning associated with the signer’s cert when it uses weak algorithms, but not for the CA certs. This change is to process the signer’s cert chain to warn if CA certs use weak algorithms.
Changes requested by mullan (Reviewer).
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1404:
> 1402: }
> 1403:
> 1404: private String checkWeakKey(PublicKey key) {
Can this method be static?
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1421:
> 1419: }
> 1420:
> 1421: private String checkWeakAlg(String alg) {
Can this method be static?
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1483:
> 1481: certStr.append("\n").append(tab)
> 1482: .append("Signature algorithm: ")
> 1483: .append(checkWeakAlg(sigalg))
If the cert is trusted, I don't think we should print a warning if the signature algorithm is weak. Otherwise this will generate false warnings for SHA-1 roots which are not an issue. You should check the key size though. And you can still print the signature algorithm. You may need to move line 1489-1490 before this to first determine if the cert is trusted.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2042
More information about the security-dev
mailing list