RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v2]

Weijun Wang weijun at openjdk.java.net
Wed Mar 2 19:57:05 UTC 2022


On Wed, 2 Mar 2022 18:01:04 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> I add "RSSSSA-PSS using “ to the `-verbose` output as suggested, and keep the remaining output as the parameters for the RSASSA-PSS contain hashAlgorithm and maskGenAlgorithm that could be disabled or weak. At the same time, strip off the saltLength and trailerField display.
>
> What does it look like now? Also, you might need to create a mapping in `Resources.java` because "using" should only be shown when system language is English.

Also, what if it's another algorithm using another type of parameters? You cannot hardcode "RSASSA-PSS" and take it for granted that there is a "]" inside the string format of the parameter and it's the end of the weak part.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7582



More information about the security-dev mailing list