Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8269039: Disable SHA-1 Signed JARs #5320

Closed
wants to merge 9 commits into from

Conversation

seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Aug 31, 2021

This change will disable JARs signed with algorithms using SHA-1 by default, and treat them as unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. The specific details are more fully described in the CSR: https://bugs.openjdk.java.net/browse/JDK-8272155.

Some additional notes about the fix:

  • This change was previously backed out of JDK 17 and delayed because of performance regressions. The overall performance is still to be verified, but the primary bottlenecks were addressed as follows:
    • sun.security.util.DisabledAlgorithmConstraints no longer depends on java.text.SimpleDateFormat to format date fields which is expensive.
    • the jdkCA constraint has been removed as this caused the cacerts keystore to be loaded. Applications using SHA-1 JARs signed by certificates that chain back to private CAs and are impacted by the restrictions can, at their own risk, adjust the properties and add back in the jdkCA constraint.
  • jarsigner has been enhanced to more accurately warn about algorithms that are disabled based on the constraints specified in the security properties. Previously it had used a simpler scheme which did not take into account constraints such as Usage or DenyAfter. Similar changes should also be made to keytool but that will be addressed in a separate issue.
  • Some SHA-1 JARs used by tests where it does not affect the results have been re-signed with SHA-2 algorithms.

Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/5320/head:pull/5320
$ git checkout pull/5320

Update a local copy of the PR:
$ git checkout pull/5320
$ git pull https://git.openjdk.java.net/jdk pull/5320/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 5320

View PR using the GUI difftool:
$ git pr show -t 5320

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/5320.diff

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Aug 31, 2021

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Aug 31, 2021

/csr

@openjdk
Copy link

@openjdk openjdk bot commented Aug 31, 2021

@seanjmullan this pull request will not be integrated until the CSR request JDK-8272155 for issue JDK-8269039 has been approved.

@openjdk openjdk bot added the csr label Aug 31, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Aug 31, 2021

@seanjmullan The following labels will be automatically applied to this pull request:

  • compiler
  • core-libs
  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added security core-libs compiler rfr labels Aug 31, 2021
@mlbridge
Copy link

@mlbridge mlbridge bot commented Aug 31, 2021

Webrevs

@AlanBateman
Copy link
Contributor

@AlanBateman AlanBateman commented Sep 1, 2021

/label remove core-libs

@openjdk openjdk bot removed the core-libs label Sep 1, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Sep 1, 2021

@AlanBateman
The core-libs label was successfully removed.

@openjdk openjdk bot removed the rfr label Sep 20, 2021
@openjdk openjdk bot added the rfr label Sep 20, 2021
this.timestamp = null;
}
}

// extract last certificate and key from chain
private void init(CertPath cp) {
Copy link
Contributor

@wangweij wangweij Sep 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The init name suggests it's only done once at the beginning, but actually it's an accumulation process. Can we find another name?

Copy link
Member Author

@seanjmullan seanjmullan Sep 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have renamed it to addToCertsAndKeys.

? timestamp.getTimestamp() : date();
}
return timestampDate;
}
Copy link
Contributor

@wangweij wangweij Sep 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add some words to the date() method? Something which tells the major difference between it and timestamp()?

Copy link
Member Author

@seanjmullan seanjmullan Sep 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done - see latest commit.

Copy link
Contributor

@wangweij wangweij Sep 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All is good. No any other comment.

@openjdk openjdk bot removed the csr label Sep 20, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Sep 20, 2021

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8269039: Disable SHA-1 Signed JARs

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 516 new commits pushed to the master branch:

  • 5c21c00: 8267163: Rename anonymous loader tests to hidden loader tests
  • b3b4b1c: 8273907: Cleanup redundant Math.max/min calls in DefaultHighlighter
  • a67f0f9: 8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
  • 26e5e9a: 8273654: JFR: Remove unused SecuritySupport.setAccessible(Field)
  • 4b3a4ff: 8273940: vmTestbase/vm/mlvm/meth/stress/gc/callSequencesDuringGC/Test.java crashes in full gc during VM exit
  • dad5d27: 8272867: JFR: ManagementSupport.removeBefore() lost coverage
  • 48aff23: 8272515: JFR: Names should only be valid Java identifiers
  • 4d95a5d: 8273933: [TESTBUG] Test must run without preallocated exceptions
  • 9aa12da: 8273934: Remove unused perfcounters
  • 4da45c4: 8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
  • ... and 506 more: https://git.openjdk.java.net/jdk/compare/bdb50cab79056bb2ac9fe1ba0cf0f237317052da...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready label Sep 20, 2021
@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Sep 21, 2021

/integrate

@openjdk
Copy link

@openjdk openjdk bot commented Sep 21, 2021

Going to push as commit 6d91a3e.
Since your change was applied there have been 534 commits pushed to the master branch:

  • 42d5d2a: 8274056: JavaAccessibilityUtilities leaks JNI objects
  • 57df0db: 8270873: JFR: Catch DirectoryIteratorException when scanning for .jfr files
  • 111d5e1: 8273915: Create 'nosafepoint' rank
  • 7acec3f: 8236505: Mark jdk/editpad/EditPadTest.java as @headful
  • afd218d: 8274053: [BACKOUT] JDK-8270842: G1: Only young regions need to redirty outside references in remset.
  • a5108a6: 8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
  • 65ed0a7: 8273655: content-types.properties files are missing some common types
  • c60bcd0: 8273928: Use named run ids when problem listing tests
  • 6642d2e: 8273783: Simplify Metaspace arena guard handling
  • f242cb5: 8273797: Stop impersonating "server" VM in all VM variants
  • ... and 524 more: https://git.openjdk.java.net/jdk/compare/bdb50cab79056bb2ac9fe1ba0cf0f237317052da...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot closed this Sep 21, 2021
@openjdk openjdk bot added integrated and removed ready rfr labels Sep 21, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Sep 21, 2021

@seanjmullan Pushed as commit 6d91a3e.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compiler integrated security
3 participants