RFR: 8302233: HSS/LMS: keytool and jarsigner changes

Weijun Wang weijun at openjdk.org
Thu Nov 16 16:19:35 UTC 2023


On Thu, 16 Nov 2023 15:45:38 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Code changes for HSS/LMS that's related to keytool and jarsigner:
>> 
>> 1. No need to add `-sigalg` for both tools when HSS/LMS key is involved, it can only be `HSS/LMS`.
>> 2. The `digestAlgorithm` field in a PKCS7 `SignerInfo`. It must be the same as the hash algorithm used by the HSS/LMS key. This needs to be enforced both at signing and verification.
>> 3. HSS/LMS reuses `.DSA` as the signature block file extension inside a signed JAR file
>
> src/java.base/share/classes/sun/security/pkcs/SignerInfo.java line 488:
> 
>> 486:      *                   directly. This makes difference for Ed448.
>> 487:      */
>> 488:     public static void algorithmsConformanceCheck(
> 
> Can this be private?

Sure.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/14254#discussion_r1395986419


More information about the security-dev mailing list