RFR: 8266225: jarsigner is using incorrect security property to show weakness of certs [v2]

Hai-May Chao hchao at openjdk.java.net
Thu May 6 20:57:14 UTC 2021


On Thu, 6 May 2021 18:08:40 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Test with new java.security file
>
> test/jdk/sun/security/tools/jarsigner/CheckSignerCertChain.java line 90:
> 
>> 88:                 // key, but not for its SHA1withRSA algorithm.
>> 89:                 .shouldContain("Signature algorithm: SHA1withRSA, 1024-bit key (weak)")
>> 90:                 .shouldHaveExitValue(0);
> 
> What does the test show before this fix?
> 
> I don't see `Security.setProperty` called or a new `java.security` file is used. If `jdk.jar.dA` and `jdk.certpath.dA` are the same, then there's no way to find out if the new code works.

Added test using new java.security with different disabledAlgorithms for certpath and jar.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3905


More information about the security-dev mailing list