Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8277474: jarsigner does not check if algorithm parameters are disabled #7582

Closed
wants to merge 7 commits into from

Conversation

haimaychao
Copy link
Contributor

@haimaychao haimaychao commented Feb 22, 2022

This fixes jarsigner to enforce checking against algorithm constraint properties so when the signature algorithms parameters use disabled or legacy algorithms, it will emit warnings accordingly. If the algorithm used in parameters is disabled, jarsigner treats the jar as unsigned.


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8277474: jarsigner does not check if algorithm parameters are disabled

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/7582/head:pull/7582
$ git checkout pull/7582

Update a local copy of the PR:
$ git checkout pull/7582
$ git pull https://git.openjdk.java.net/jdk pull/7582/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 7582

View PR using the GUI difftool:
$ git pr show -t 7582

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/7582.diff

@haimaychao
Copy link
Contributor Author

haimaychao commented Feb 22, 2022

/label remove core-libs

@haimaychao
Copy link
Contributor Author

haimaychao commented Feb 22, 2022

/label remove compiler

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 22, 2022

👋 Welcome back hchao! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr label Feb 22, 2022
@openjdk
Copy link

openjdk bot commented Feb 22, 2022

@haimaychao The core-libs label was not set.

@openjdk
Copy link

openjdk bot commented Feb 22, 2022

@haimaychao The compiler label was not set.

@openjdk
Copy link

openjdk bot commented Feb 22, 2022

@haimaychao The following labels will be automatically applied to this pull request:

  • compiler
  • core-libs
  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added security core-libs compiler labels Feb 22, 2022
@haimaychao
Copy link
Contributor Author

haimaychao commented Feb 22, 2022

/label remove core-libs

@haimaychao
Copy link
Contributor Author

haimaychao commented Feb 22, 2022

/label remove compiler

@openjdk openjdk bot removed the core-libs label Feb 22, 2022
@openjdk
Copy link

openjdk bot commented Feb 22, 2022

@haimaychao
The core-libs label was successfully removed.

@openjdk openjdk bot removed the compiler label Feb 22, 2022
@openjdk
Copy link

openjdk bot commented Feb 22, 2022

@haimaychao
The compiler label was successfully removed.

@mlbridge
Copy link

mlbridge bot commented Feb 22, 2022

Webrevs

@@ -30,6 +30,7 @@
import java.net.URLClassLoader;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXBuilderParameters;
import java.security.spec.PSSParameterSpec;
Copy link
Member

@seanjmullan seanjmullan Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think you need this import, as this class does not seem to be referenced anywhere.

Copy link
Contributor Author

@haimaychao haimaychao Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed. Thanks for the review.

@openjdk
Copy link

openjdk bot commented Mar 2, 2022

@haimaychao This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8277474: jarsigner does not check if algorithm parameters are disabled

Reviewed-by: mullan, weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 265 new commits pushed to the master branch:

  • 1581e3f: 8282402: Create a regression test for JDK-4666101
  • 268fa69: 8282511: Use fixed certificate validation date in SSLExampleCert template
  • c777bb3: 8282619: G1: Fix indentation in G1CollectedHeap::mark_evac_failure_object
  • 080baff: 8282483: Ensure that Utils.getAllInterfaces returns unique instances
  • 57020fd: 8282582: Unused methods in Utils
  • 5c187e3: 8282593: JDK-8281472 breaks 32-bit builds and gtests
  • 7822cbc: 8276711: compiler/codecache/cli tests failing when SegmentedCodeCache used with -Xint
  • 832729b: 6911375: mouseWheel has no effect without vertical scrollbar
  • 0402a28: 8037965: NullPointerException in TextLayout.getBaselineFromGraphic() for JTextComponents
  • d4d1fbc: 8282484: G1: Predicted old time in log always zero
  • ... and 255 more: https://git.openjdk.java.net/jdk/compare/2f71a6b39ed6bb869b4eb3e81bc1d87f4b3328ff...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready label Mar 2, 2022
JAR_DISABLED_CHECK.permits(algParams, jcp);
} catch (CertPathValidatorException e) {
disabledAlgFound = true;
return String.format(rb.getString("with.disabled"), algParams);
Copy link
Contributor

@wangweij wangweij Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The return value of this method will be shown as the "Signature algorithm" in the output. It's OK to include an optional "weak" (or "disabled") tag, but the core part still must be an algorithm name. Here, the updated code returns the string format of algParams, which is not an algorithm name.

I'm not sure how to fix this nicely. Certainly you want to show the user why it is weak so the weak part should be displayed. A verbose solution could be "RSASSA-PSS using PSSParameterSpec(...SHA-1...) (weak)", but the toString() output of PSSParameterSpec is quite long.

Same comment to the code change below.

Copy link
Contributor Author

@haimaychao haimaychao Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I add "RSSSSA-PSS using “ to the -verbose output as suggested, and keep the remaining output as the parameters for the RSASSA-PSS contain hashAlgorithm and maskGenAlgorithm that could be disabled or weak. At the same time, strip off the saltLength and trailerField display.

Copy link
Contributor

@wangweij wangweij Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does it look like now? Also, you might need to create a mapping in Resources.java because "using" should only be shown when system language is English.

Copy link
Contributor

@wangweij wangweij Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, what if it's another algorithm using another type of parameters? You cannot hardcode "RSASSA-PSS" and take it for granted that there is a "]" inside the string format of the parameter and it's the end of the weak part.

Copy link
Contributor Author

@haimaychao haimaychao Mar 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made change to add "RSASSA-PSS using” before its parameter output when the signature algorithm is RSASSA-PSS. Also, keep the parameter string without doing further parsing and stripping off based on the "]".

Copy link
Contributor

@wangweij wangweij left a comment

The return values of the 2 updated verifyWithWeak methods need to be fixed.

if (algParams != null) {
try {
LEGACY_CHECK.permits(algParams, jcp);
return alg;
Copy link
Contributor

@wangweij wangweij Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to return here since it will be returned on line 1445 anyway.

Copy link
Contributor Author

@haimaychao haimaychao Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

* @summary jarsigner -verify should check if the algorithm parameters of
* its signature algorithm use disabled or legacy algorithms
* @library /test/lib
* @modules java.base/sun.security.x509
Copy link
Contributor

@wangweij wangweij Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this @modules line useful?

Copy link
Contributor Author

@haimaychao haimaychao Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, removed it. Thanks for the review!

return String.format(rb.getString("with.algparams.disabled"),
"RSASSA-PSS", algParams);
default:
return String.format(rb.getString("with.disabled"), algParams);
Copy link
Contributor

@wangweij wangweij Mar 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to differentiate RSASSA-PSS and other algorithms. Just use the exact same format as you defined in Resources.java. This makes sure if one day another type of algorithm parameters fail the check, we will see the algorithm name and full description of the parameters as well. If the description is not clear, it's the problem of its toString() implementation.

Copy link
Contributor Author

@haimaychao haimaychao Mar 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed code that differentiates.

"RSASSA-PSS", algParams);
default:
return String.format(rb.getString("with.weak"), algParams);
}
Copy link
Contributor

@wangweij wangweij Mar 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

@haimaychao
Copy link
Contributor Author

haimaychao commented Mar 3, 2022

/integrate

@openjdk
Copy link

openjdk bot commented Mar 3, 2022

Going to push as commit fb6b929.
Since your change was applied there have been 265 commits pushed to the master branch:

  • 1581e3f: 8282402: Create a regression test for JDK-4666101
  • 268fa69: 8282511: Use fixed certificate validation date in SSLExampleCert template
  • c777bb3: 8282619: G1: Fix indentation in G1CollectedHeap::mark_evac_failure_object
  • 080baff: 8282483: Ensure that Utils.getAllInterfaces returns unique instances
  • 57020fd: 8282582: Unused methods in Utils
  • 5c187e3: 8282593: JDK-8281472 breaks 32-bit builds and gtests
  • 7822cbc: 8276711: compiler/codecache/cli tests failing when SegmentedCodeCache used with -Xint
  • 832729b: 6911375: mouseWheel has no effect without vertical scrollbar
  • 0402a28: 8037965: NullPointerException in TextLayout.getBaselineFromGraphic() for JTextComponents
  • d4d1fbc: 8282484: G1: Predicted old time in log always zero
  • ... and 255 more: https://git.openjdk.java.net/jdk/compare/2f71a6b39ed6bb869b4eb3e81bc1d87f4b3328ff...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated label Mar 3, 2022
@openjdk openjdk bot closed this Mar 3, 2022
@openjdk openjdk bot removed ready rfr labels Mar 3, 2022
@openjdk
Copy link

openjdk bot commented Mar 3, 2022

@haimaychao Pushed as commit fb6b929.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated security
3 participants