RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v2]
Weijun Wang
weijun at openjdk.java.net
Wed Jan 13 15:23:06 UTC 2021
On Wed, 13 Jan 2021 01:21:14 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> The jarsigner tool currently provides warning associated with the signer’s cert when it uses weak algorithms, but not for the CA certs. This change is to process the signer’s cert chain to warn if CA certs use weak algorithms.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> No warning for trusted cert's SHA1, and added debug output to test
Marked as reviewed by weijun (Reviewer).
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1484:
> 1482: // If the cert is trusted, only check its key size, but not its
> 1483: // signature algorithm. This is because warning should not be
> 1484: // generated for SHA-1 roots which are not an issue.
In my opinion, the reason we don't checked the signature is that we trust its origin anyway and we don't verify the signature at all (do we?). On the other hand, since its key is used to sign other certs, we need to make sure the key size is big enough so that no one else is able to recover the key and use it to sign other certs.
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1491:
> 1489: .append(checkWeakKey(key));
> 1490:
> 1491: certStr.append("\n").append(tab).append("[");
It's a little strange to leave the other half of the bracket (`certStr.append("]");` on line 1568) outside the if-else block. Can you please move it inside? Of course you will have to duplicate them.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2042
More information about the security-dev
mailing list