RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v2]
Weijun Wang
weijun at openjdk.java.net
Wed Mar 2 18:04:06 UTC 2022
On Wed, 2 Mar 2022 17:46:26 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1414:
>>
>>> 1412: } catch (CertPathValidatorException e) {
>>> 1413: disabledAlgFound = true;
>>> 1414: return String.format(rb.getString("with.disabled"), algParams);
>>
>> The return value of this method will be shown as the "Signature algorithm" in the output. It's OK to include an optional "weak" (or "disabled") tag, but the core part still must be an algorithm name. Here, the updated code returns the string format of `algParams`, which is not an algorithm name.
>>
>> I'm not sure how to fix this nicely. Certainly you want to show the user why it is weak so the weak part should be displayed. A verbose solution could be "RSSSSA-PSS using PSSParameterSpec(...SHA-1...) (weak)", but the `toString()` output of `PSSParameterSpec` is quite long.
>>
>> Same comment to the code change below.
>
> I add "RSSSSA-PSS using “ to the `-verbose` output as suggested, and keep the remaining output as the parameters for the RSASSA-PSS contain hashAlgorithm and maskGenAlgorithm that could be disabled or weak. At the same time, strip off the saltLength and trailerField display.
What does it look like now? Also, you might need to create a mapping in `Resources.java` because "using" should only be shown when system language is English.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7582
More information about the security-dev
mailing list