Integrated: 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

[Sean Mullan]

On Mon, 8 Nov 2021 14:04:15 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for `jarsigner` (and `keytool`) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok. 
> 
> To address this issue, a new `checkKey` parameter is added to the `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and size) is also checked, otherwise it is not. This flag is always set to `false` by `jarsigner` when checking algs and by the JDK when checking digest algorithms. Other small changes include changes in `SignerInfo` to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method from `AlgorithmChecker`.
> 
> `keytool` will be enhanced in a subsequent CR to call the new methods.

This pull request has now been integrated.

Changeset: 03f8c0fb
Author:    Sean Mullan <mullan at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/03f8c0fb9363dc1bb07bed1ae0359c029caa0130
Stats:     121 lines in 9 files changed: 32 ins; 31 del; 58 mod

8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Reviewed-by: weijun

-------------

PR: https://git.openjdk.java.net/jdk/pull/6296