RFR: 8302233: HSS/LMS: keytool and jarsigner changes [v4]

Weijun Wang weijun at openjdk.org
Sat Nov 25 01:17:30 UTC 2023


> Code changes for HSS/LMS that's related to keytool and jarsigner:
> 
> 1. No need to add `-sigalg` for both tools when HSS/LMS key is involved, it can only be `HSS/LMS`.
> 2. The `digestAlgorithm` field in a PKCS7 `SignerInfo`. It must be the same as the hash algorithm used by the HSS/LMS key. This needs to be enforced both at signing and verification.
> 3. HSS/LMS reuses `.DSA` as the signature block file extension inside a signed JAR file

Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:

  explain hashAlgFromHSS

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/14254/files
  - new: https://git.openjdk.org/jdk/pull/14254/files/ff150140..04a7a0b7

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=14254&range=03
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=14254&range=02-03

  Stats: 6 lines in 1 file changed: 6 ins; 0 del; 0 mod
  Patch: https://git.openjdk.org/jdk/pull/14254.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/14254/head:pull/14254

PR: https://git.openjdk.org/jdk/pull/14254


More information about the security-dev mailing list