8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

[seanjmullan]

When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for jarsigner (and keytool) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok.

To address this issue, a new checkKey parameter is added to the DisabledAlgorithmConstraints.permits methods. When true the key (alg and size) is also checked, otherwise it is not. This flag is always set to false by jarsigner when checking algs and by the JDK when checking digest algorithms. Other small changes include changes in SignerInfo to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method from AlgorithmChecker.

keytool will be enhanced in a subsequent CR to call the new methods.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Reviewers

• Weijun Wang (@wangweij - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296
$ git checkout pull/6296

Update a local copy of the PR:
$ git checkout pull/6296
$ git pull https://git.openjdk.java.net/jdk pull/6296/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 6296

View PR using the GUI difftool:
$ git pr show -t 6296

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6296.diff

[bridgekeeper]

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@seanjmullan The following labels will be automatically applied to this pull request:

• compiler
• core-libs
• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[seanjmullan]

/label remove core-libs

[seanjmullan]

/label remove compiler

[openjdk]

@seanjmullan
The core-libs label was successfully removed.

[openjdk]

@seanjmullan
The compiler label was successfully removed.

[mlbridge]

Webrevs

• 01: Full - Incremental (ac6d9436)
• 00: Full (6c1f1dd8)

[wangweij]

I'm feeling we should completely dump checking for algorithms and switch to checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose that LEN cannot be any number.

[seanjmullan]

I'm feeling we should completely dump checking for algorithms and switch to checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose that LEN cannot be any number.

Yes, this is a good suggestion, but I think it should be tackled separately. I'll file a separate RFE though. It would be nice if we made AlgorithmId a public API too.

[openjdk]

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 245 new commits pushed to the master branch:

• 8db0c36: 8277414: ProblemList runtime/CommandLine/VMDeprecatedOptions.java on windows-x64
• 03473b4: 8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
• ce0f00f: 8276093: Improve naming in closures to iterate over card sets
• 5d249c4: 8275071: [macos] A11y cursor gets stuck when combobox is closed
• 354a34e: 8277336: Improve CollectedHeap::safepoint_workers comments
• 276bfcd: 8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/bug6276188.java fails to compile after JDK-8276058
• d93b238: 8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
• 00c388b: 8259643: ZGC can return metaspace OOM prematurely
• a44b45f: 4337793: Mark non-serializable fields of java.security.cert.Certificate and CertPath
• b3a62b4: 8276795: Deprecate seldom used CDS flags
• ... and 235 more: https://git.openjdk.java.net/jdk/compare/99b7b95e014da6e491ba7adfd21de53d6ae166fe...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[seanjmullan]

/integrate

[openjdk]

Going to push as commit 03f8c0f.
Since your change was applied there have been 261 commits pushed to the master branch:

• 936f7ff: 8276150: Quarantined jpackage apps are labeled as "damaged"
• a022796: 8275745: Reproducible copyright headers
• b1a1bf4: 8277427: Update jib-profiles.js to use JMH 1.33 devkit
• 03debf2: 8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
• b15e6f0: 8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
• 11d819d: 8277439: G1: Correct include guard name in G1EvacFailureObjectsSet.hpp
• 7a046e0: 8277371: Remove unnecessary DefNewGeneration::ref_processor_init()
• 3a76d39: 8277324: C2 compilation fails with "bad AD file" on x86-32 after JDK-8276162 due to missing match rule
• 2f20b0d: 8273039: JShell crashes when naming variable or method "abstract" or "strictfp"
• f34f119: 8277213: CompileTask_lock is acquired out of order with MethodCompileQueue_lock
• ... and 251 more: https://git.openjdk.java.net/jdk/compare/99b7b95e014da6e491ba7adfd21de53d6ae166fe...master

Your commit was automatically rebased without conflicts.

[openjdk]

@seanjmullan Pushed as commit 03f8c0f.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.