RFR: 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled [v2]
Weijun Wang
weijun at openjdk.java.net
Thu Nov 18 18:44:45 UTC 2021
On Thu, 18 Nov 2021 15:03:33 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> We should, but the problem is that jarsigner needs to individually test each algorithm, so it can properly display which algorithm is restricted. So, I think it will need to parse the RSSASSA params itself, and then call the constraints code to check each algorithm. Let me see if I can code up something that does that.
>
> I would like to defer the checking of AlgorithmParameters as part of another bug. There are some major restructuring changes that would need to be made to jarsigner to support this. And for RSASSA-PSS, there should not be any risk for a while since by default jarsigner uses at least SHA-256 for the digest algorithms in the PSS parameters.
Looks so.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6296
More information about the security-dev
mailing list