RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v4]

Weijun Wang weijun at openjdk.java.net
Thu Mar 3 19:43:08 UTC 2022


On Thu, 3 Mar 2022 07:24:49 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> This fixes jarsigner to enforce checking against algorithm constraint properties so when the signature algorithms parameters use disabled or legacy algorithms, it will emit warnings accordingly. If the algorithm used in parameters is disabled, jarsigner treats the jar as unsigned.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Removed unused string

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1418:

> 1416:                                 "RSASSA-PSS", algParams);
> 1417:                     default:
> 1418:                         return String.format(rb.getString("with.disabled"), algParams);

There is no need to differentiate RSASSA-PSS and other algorithms. Just use the exact same format as you defined in `Resources.java`. This makes sure if one day another type of algorithm parameters fail the check, we will see the algorithm name and full description of the parameters as well. If the description is not clear, it's the problem of its `toString()` implementation.

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1452:

> 1450:                     default:
> 1451:                         return String.format(rb.getString("with.weak"), algParams);
> 1452:                 }

Same as above.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7582



More information about the security-dev mailing list