RFR: 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
Sean Mullan
mullan at openjdk.java.net
Mon Nov 8 14:14:47 UTC 2021
When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for `jarsigner` (and `keytool`) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok.
To address this issue, a new `checkKey` parameter is added to the `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and size) is also checked, otherwise it is not. This flag is always set to `false` by `jarsigner` when checking algs and by the JDK when checking digest algorithms. Other small changes include changes in `SignerInfo` to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method from `AlgorithmChecker`.
`keytool` will be enhanced in a subsequent CR to call the new methods.
-------------
Commit messages:
- Change name of `checkKeySize` param to `checkKey`.
- 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
Changes: https://git.openjdk.java.net/jdk/pull/6296/files
Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6296&range=00
Issue: https://bugs.openjdk.java.net/browse/JDK-8275887
Stats: 128 lines in 9 files changed: 40 ins; 31 del; 57 mod
Patch: https://git.openjdk.java.net/jdk/pull/6296.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296
PR: https://git.openjdk.java.net/jdk/pull/6296
More information about the security-dev
mailing list