Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled #6296

Closed
wants to merge 3 commits into from
Closed

8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled #6296

wants to merge 3 commits into from

Conversation

seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Nov 8, 2021
edited by openjdk bot

When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for jarsigner (and keytool) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok.

To address this issue, a new checkKey parameter is added to the DisabledAlgorithmConstraints.permits methods. When true the key (alg and size) is also checked, otherwise it is not. This flag is always set to false by jarsigner when checking algs and by the JDK when checking digest algorithms. Other small changes include changes in SignerInfo to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method from AlgorithmChecker.

keytool will be enhanced in a subsequent CR to call the new methods.

Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296
$ git checkout pull/6296

Update a local copy of the PR:
$ git checkout pull/6296
$ git pull https://git.openjdk.java.net/jdk pull/6296/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 6296

View PR using the GUI difftool:
$ git pr show -t 6296

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6296.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Nov 8, 2021

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Pull request is ready for review label Nov 8, 2021
@openjdk
Copy link

openjdk bot commented Nov 8, 2021

@seanjmullan The following labels will be automatically applied to this pull request:

  • compiler
  • core-libs
  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added security security-dev@openjdk.org core-libs core-libs-dev@openjdk.org compiler compiler-dev@openjdk.org labels Nov 8, 2021
@seanjmullan
Copy link
Member Author

/label remove core-libs

@seanjmullan
Copy link
Member Author

/label remove compiler

@openjdk openjdk bot removed the core-libs core-libs-dev@openjdk.org label Nov 8, 2021
@openjdk
Copy link

openjdk bot commented Nov 8, 2021

@seanjmullan
The core-libs label was successfully removed.

@openjdk openjdk bot removed the compiler compiler-dev@openjdk.org label Nov 8, 2021
@openjdk
Copy link

openjdk bot commented Nov 8, 2021

@seanjmullan
The compiler label was successfully removed.

@mlbridge
Copy link

mlbridge bot commented Nov 8, 2021
edited

Webrevs

wangweij
wangweij reviewed Nov 16, 2021
View reviewed changes
Copy link
Contributor

@wangweij wangweij left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm feeling we should completely dump checking for algorithms and switch to checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose that LEN cannot be any number.

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Outdated Show resolved Hide resolved
test/jdk/sun/security/tools/jarsigner/TimestampCheck.java Outdated Show resolved Hide resolved
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java Show resolved Hide resolved
@seanjmullan
Copy link
Member Author

I'm feeling we should completely dump checking for algorithms and switch to checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose that LEN cannot be any number.

Yes, this is a good suggestion, but I think it should be tackled separately. I'll file a separate RFE though. It would be nice if we made AlgorithmId a public API too.

@seanjmullan
Use var in for loop in SignerInfo.
ac6d943 
In TimestampCheck test, combine/simplify what messages should not be emitted
when jar is signed with 512-bit RSA key.
@openjdk
Copy link

openjdk bot commented Nov 18, 2021

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 245 new commits pushed to the master branch:

  • 8db0c36: 8277414: ProblemList runtime/CommandLine/VMDeprecatedOptions.java on windows-x64
  • 03473b4: 8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
  • ce0f00f: 8276093: Improve naming in closures to iterate over card sets
  • 5d249c4: 8275071: [macos] A11y cursor gets stuck when combobox is closed
  • 354a34e: 8277336: Improve CollectedHeap::safepoint_workers comments
  • 276bfcd: 8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/bug6276188.java fails to compile after JDK-8276058
  • d93b238: 8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
  • 00c388b: 8259643: ZGC can return metaspace OOM prematurely
  • a44b45f: 4337793: Mark non-serializable fields of java.security.cert.Certificate and CertPath
  • b3a62b4: 8276795: Deprecate seldom used CDS flags
  • ... and 235 more: https://git.openjdk.java.net/jdk/compare/99b7b95e014da6e491ba7adfd21de53d6ae166fe...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Nov 18, 2021
@seanjmullan
Copy link
Member Author

/integrate

@openjdk
Copy link

openjdk bot commented Nov 19, 2021

Going to push as commit 03f8c0f.
Since your change was applied there have been 261 commits pushed to the master branch:

  • 936f7ff: 8276150: Quarantined jpackage apps are labeled as "damaged"
  • a022796: 8275745: Reproducible copyright headers
  • b1a1bf4: 8277427: Update jib-profiles.js to use JMH 1.33 devkit
  • 03debf2: 8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
  • b15e6f0: 8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
  • 11d819d: 8277439: G1: Correct include guard name in G1EvacFailureObjectsSet.hpp
  • 7a046e0: 8277371: Remove unnecessary DefNewGeneration::ref_processor_init()
  • 3a76d39: 8277324: C2 compilation fails with "bad AD file" on x86-32 after JDK-8276162 due to missing match rule
  • 2f20b0d: 8273039: JShell crashes when naming variable or method "abstract" or "strictfp"
  • f34f119: 8277213: CompileTask_lock is acquired out of order with MethodCompileQueue_lock
  • ... and 251 more: https://git.openjdk.java.net/jdk/compare/99b7b95e014da6e491ba7adfd21de53d6ae166fe...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot closed this Nov 19, 2021
@openjdk openjdk bot added integrated Pull request has been integrated and removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Nov 19, 2021
@openjdk
Copy link

openjdk bot commented Nov 19, 2021

@seanjmullan Pushed as commit 03f8c0f.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wangweij wangweij wangweij approved these changes

Assignees
No one assigned
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
Milestone
No milestone
2 participants
@seanjmullan @wangweij