New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled #6296
Conversation
… if keysize is weak/disabled
|
@seanjmullan The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
/label remove core-libs |
/label remove compiler |
@seanjmullan |
@seanjmullan |
Webrevs
|
I'm feeling we should completely dump checking for algorithms and switch to checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose that LEN cannot be any number.
Yes, this is a good suggestion, but I think it should be tackled separately. I'll file a separate RFE though. It would be nice if we made AlgorithmId a public API too. |
In TimestampCheck test, combine/simplify what messages should not be emitted when jar is signed with 512-bit RSA key.
@seanjmullan This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 245 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.
|
/integrate |
Going to push as commit 03f8c0f.
Your commit was automatically rebased without conflicts. |
@seanjmullan Pushed as commit 03f8c0f. |
When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for
jarsigner
(andkeytool
) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok.To address this issue, a new
checkKey
parameter is added to theDisabledAlgorithmConstraints.permits
methods. Whentrue
the key (alg and size) is also checked, otherwise it is not. This flag is always set tofalse
byjarsigner
when checking algs and by the JDK when checking digest algorithms. Other small changes include changes inSignerInfo
to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method fromAlgorithmChecker
.keytool
will be enhanced in a subsequent CR to call the new methods.Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296
$ git checkout pull/6296
Update a local copy of the PR:
$ git checkout pull/6296
$ git pull https://git.openjdk.java.net/jdk pull/6296/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6296
View PR using the GUI difftool:
$ git pr show -t 6296
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6296.diff