Skip to content

Commit

Permalink
8292704: sun/security/tools/jarsigner/compatibility/Compatibility.jav…
Browse files Browse the repository at this point in the history 
…a use wrong key size for EC

Reviewed-by: rhalade
  • Loading branch information
Matthew Donovan committed Jun 22, 2023
1 parent 0e4fde3 commit 130a9f1
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 13 deletions.
65 changes: 52 additions & 13 deletions test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java
View file
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -31,7 +31,7 @@
* its usages, please look through the README.
*
* @library /test/lib ../warnings
* @compile -source 1.7 -target 1.7 JdkUtils.java
* @compile -source 1.8 -target 1.8 JdkUtils.java
* @run main/manual/othervm Compatibility
*/

Expand Down Expand Up @@ -67,7 +67,6 @@
import java.util.stream.Collectors;
import java.util.stream.IntStream;

import jdk.test.lib.Platform;
import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.process.ProcessTools;
import jdk.test.lib.util.JarUtils;
Expand Down Expand Up @@ -460,7 +459,7 @@ private static int[] keySizes(String keyAlgorithm) throws IOException {
if (RSA.equals(keyAlgorithm) || DSA.equals(keyAlgorithm)) {
return new int[] { 1024, 2048, 0 }; // 0 is no keysize specified
} else if (EC.equals(keyAlgorithm)) {
return new int[] { 384, 571, 0 }; // 0 is no keysize specified
return new int[] { 384, 521, 0 }; // 0 is no keysize specified
} else {
throw new RuntimeException("problem determining key sizes");
}
Expand Down Expand Up @@ -717,7 +716,7 @@ private static void verifying(SignItem signItem, VerifyItem verifyItem)
try {
String match = "^ ("
+ " Signature algorithm: " + signItem.certInfo.
expectedSigalg() + ", " + signItem.certInfo.
expectedSigalg(signItem) + ", " + signItem.certInfo.
expectedKeySize() + "-bit key"
+ ")|("
+ " Digest algorithm: " + signItem.expectedDigestAlg()
Expand Down Expand Up @@ -845,6 +844,7 @@ private static Status verifyingStatus(SignItem signItem, VerifyItem

if (isWeakAlg(signItem.expectedDigestAlg())
&& line.contains(Test.WEAK_ALGORITHM_WARNING)) continue;
if (line.contains(Test.WEAK_KEY_WARNING)) continue;
if (Test.CERTIFICATE_SELF_SIGNED.equals(line)) continue;
if (Test.HAS_EXPIRED_CERT_VERIFYING_WARNING.equals(line)
&& signItem.certInfo.expired) continue;
Expand Down Expand Up @@ -1183,19 +1183,56 @@ private String sigalg() {
}

private String expectedSigalg() {
return (DEFAULT.equals(this.digestAlgorithm) ? this.digestAlgorithm
: "SHA-256").replace("-", "") + "with" +
keyAlgorithm + (EC.equals(keyAlgorithm) ? "DSA" : "");
return "SHA256with" + keyAlgorithm + (EC.equals(keyAlgorithm) ? "DSA" : "");
}

private String expectedSigalg(SignItem signer) {
if (!DEFAULT.equals(digestAlgorithm)) {
return "SHA256with" + keyAlgorithm + (EC.equals(keyAlgorithm) ? "DSA" : "");

} else {
// default algorithms documented for jarsigner here:
// https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html#supported-algorithms
// https://docs.oracle.com/en/java/javase/20/docs/specs/man/jarsigner.html#supported-algorithms
int expectedKeySize = expectedKeySize();
switch (keyAlgorithm) {
case DSA:
return "SHA256withDSA";
case RSA: {
if ((signer.jdkInfo.majorVersion >= 20 && expectedKeySize < 624)
|| (signer.jdkInfo.majorVersion < 20 && expectedKeySize <= 3072)) {
return "SHA256withRSA";
} else if (expectedKeySize <= 7680) {
return "SHA384withRSA";
} else {
return "SHA512withRSA";
}
}
case EC: {
if (signer.jdkInfo.majorVersion < 20 && expectedKeySize < 384) {
return "SHA256withECDSA";
} else if (expectedKeySize < 512) {
return "SHA384withECDSA";
} else {
return "SHA512withECDSA";
}
}
default:
throw new RuntimeException("Unsupported/expected key algorithm: " + keyAlgorithm);
}
}
}

private int expectedKeySize() {
if (keySize != 0) return keySize;

// defaults
if (RSA.equals(keyAlgorithm) || DSA.equals(keyAlgorithm)) {
return 3072;
if (RSA.equals(keyAlgorithm)) {
return jdkInfo.majorVersion >= 20 ? 3072 : 2048;
} else if (DSA.equals(keyAlgorithm)) {
return 2048;
} else if (EC.equals(keyAlgorithm)) {
return 384;
return jdkInfo.majorVersion >= 20 ? 384 : 256;
} else {
throw new RuntimeException("problem determining key size");
}
Expand Down Expand Up @@ -1391,7 +1428,9 @@ private SignItem digestAlgorithm(String digestAlgorithm) {
}

String expectedDigestAlg() {
return digestAlgorithm != null ? digestAlgorithm : "SHA-256";
return digestAlgorithm != null
? digestAlgorithm
: jdkInfo.majorVersion >= 20 ? "SHA-384" : "SHA-256";
}

private SignItem tsaDigestAlgorithm(String tsaDigestAlgorithm) {
Expand Down Expand Up @@ -1540,7 +1579,7 @@ private static String reportRow(SignItem signItem, VerifyItem verifyItem) {
s_values_add.accept(i -> i.unsignedJar + " -> " + i.signedJar);
s_values_add.accept(i -> i.certInfo.toString());
s_values_add.accept(i -> i.jdkInfo.version);
s_values_add.accept(i -> i.certInfo.expectedSigalg());
s_values_add.accept(i -> i.certInfo.expectedSigalg(i));
s_values_add.accept(i ->
null2Default(i.digestAlgorithm, i.expectedDigestAlg()));
s_values_add.accept(i -> i.tsaIndex == -1 ? "" :
Expand Down
3 changes: 3 additions & 0 deletions test/jdk/sun/security/tools/jarsigner/warnings/Test.java
View file
Expand Up @@ -148,6 +148,9 @@ public abstract class Test {
= "algorithm is considered a security risk. "
+ "This algorithm will be disabled in a future update.";

static final String WEAK_KEY_WARNING
= "This key size will be disabled in a future update.";

static final String JAR_SIGNED = "jar signed.";

static final String JAR_VERIFIED = "jar verified.";
Expand Down

3 comments on commit 130a9f1

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

@rhalade
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk21

@openjdk
Copy link

@openjdk openjdk bot commented on 130a9f1 Jun 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhalade the backport was successfully created on the branch rhalade-backport-130a9f13 in my personal fork of openjdk/jdk21. To create a pull request with this backport targeting openjdk/jdk21:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 130a9f13 from the openjdk/jdk repository.

The commit being backported was authored by Matthew Donovan on 22 Jun 2023 and was reviewed by Rajan Halade.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk21:

$ git fetch https://github.com/openjdk-bots/jdk21.git rhalade-backport-130a9f13:rhalade-backport-130a9f13
$ git checkout rhalade-backport-130a9f13
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk21.git rhalade-backport-130a9f13

Please sign in to comment.