RFR: 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled [v2]

Sean Mullan mullan at openjdk.java.net
Thu Nov 18 15:06:45 UTC 2021

On Tue, 16 Nov 2021 17:53:16 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1491:
>>> 1489:     private static String checkWeakAlg(String alg, CertPathConstraintsParameters cpcp) {
>>> 1490:         try {
>>> 1491:             CERTPATH_DISABLED_CHECK.permits(alg, cpcp, false);
>> Do we need to check AlgorithmParamters as well? Ex: if `alg` is RSASSA-PSS.
> We should, but the problem is that jarsigner needs to individually test each algorithm, so it can properly display which algorithm is restricted. So, I think it will need to parse the RSSASSA params itself, and then call the constraints code to check each algorithm. Let me see if I can code up something that does that.

I would like to defer the checking of AlgorithmParameters as part of another bug. There are some major restructuring changes that would need to be made to jarsigner to support this. And for RSASSA-PSS, there should not be any risk for a while since by default jarsigner uses at least SHA-256 for the digest algorithms in the PSS parameters.


PR: https://git.openjdk.java.net/jdk/pull/6296

More information about the security-dev mailing list