RFR: 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled [v2]
Sean Mullan
mullan at openjdk.java.net
Tue Nov 16 18:10:04 UTC 2021
> When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for `jarsigner` (and `keytool`) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok.
>
> To address this issue, a new `checkKey` parameter is added to the `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and size) is also checked, otherwise it is not. This flag is always set to `false` by `jarsigner` when checking algs and by the JDK when checking digest algorithms. Other small changes include changes in `SignerInfo` to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method from `AlgorithmChecker`.
>
> `keytool` will be enhanced in a subsequent CR to call the new methods.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision:
Use var in for loop in SignerInfo.
In TimestampCheck test, combine/simplify what messages should not be emitted
when jar is signed with 512-bit RSA key.
-------------
Changes:
- all: https://git.openjdk.java.net/jdk/pull/6296/files
- new: https://git.openjdk.java.net/jdk/pull/6296/files/6c1f1dd8..ac6d9436
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6296&range=01
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6296&range=00-01
Stats: 13 lines in 2 files changed: 0 ins; 8 del; 5 mod
Patch: https://git.openjdk.java.net/jdk/pull/6296.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296
PR: https://git.openjdk.java.net/jdk/pull/6296
More information about the security-dev
mailing list