Re: RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
Looks good. > On Oct 19, 2016, at 8:07 PM, Wang Weijunwrote: > > Updated at > > http://cr.openjdk.java.net/~weijun/8163304/webrev.02/ > > changes to webrev.01 is at > > http://cr.openjdk.java.net/~weijun/8163304/webrev.02/interdiff.patch.html > > Thanks > Max >
Re: RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
Updated at http://cr.openjdk.java.net/~weijun/8163304/webrev.02/ changes to webrev.01 is at http://cr.openjdk.java.net/~weijun/8163304/webrev.02/interdiff.patch.html Thanks Max
Re: RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
> Am Wed, 19 Oct 2016 16:13:24 -0400 > schrieb Sean Mullan < > sean.mullan at oracle.com > >: > > > > 150 "The jar will be treated as unsigned, because it > > > > is signed with a weak algorithm that is now disabled.\n\nRe-run > > > > jarsigner with the -verbose option for more details."}, > > > I also wondered: what if there are multiple signatures. So a "because > it is signed only with weak algorithms" might be better? This is more precise. But probably not more helpful. This warning only shows when all algorithms are weak and saying one algorithm is weak is not misleading. IMO, people will only get confused when one signature is weak and the other is not. In this case, the history prints out 2 signatures but "jarsigner -verify -verbose -certs" only shows one for the entries. I hope the weak label there could be meaningful. Thanks Max > > Gruss > Bernd
Re: RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
> On Oct 20, 2016, at 4:13 AM, Sean Mullanwrote: > > * Main.java > > 98 private static final DisabledAlgorithmConstraints SIGN_CHECK = > 99 new DisabledAlgorithmConstraints( > 100 DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); > > This should be changed to PROPERTY_JAR_DISABLED_ALGS now that the fix for > 8167594 is in 9. Yes. > > * Resources.java > > 150 "The jar will be treated as unsigned, because it is > signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner with > the -verbose option for more details."}, > > Should this also have "WARNING:" at the beginning like the other 2 unsigned > warning messages? You suggested this some time ago: I think we should say "WARNING: Signature not parsable or verifiable. ..." Without the word "WARNING", the impact (to me) seems to get lost in the verbose output. The "WARNING" part is not needed if -verbose is not specified. > > * JarUtils.java > > 45 * a new jar entry will be created with the file name itself the > content. > 70 * with the file name itself the content. > > These 2 lines would be more understandable if you changed "itself the > content" to "itself as the content". Yes. > > * TimestampCheck.java > > You will need to update this test based on the new MD5 restrictions added in > 8167594. Yes. Thanks Max > > --Sean > > On 10/19/2016 03:36 AM, Wang Weijun wrote: >> Please review the code change at >> >> http://cr.openjdk.java.net/~weijun/8163304/webrev.01/ >> >> With this change, "jarsigner -verify -verbose" will print out how a jar was >> signed. >> >> For example, a jar which was signed and timestamped with many weak >> algorithms will show >> >> - Signed by "CN=old" >>Digest algorithm: MD2 (weak) >>Signature algorithm: MD2withRSA (weak), 2048-bit key >> Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016 >>Timestamp digest algorithm: MD2 (weak) >>Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak) >> >> WARNING: The jar will be treated as unsigned, because it is signed with a >> weak algorithm that is now disabled by the security property: >> >> jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024 >> >> Thanks >> Max >>
Re: RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
Am Wed, 19 Oct 2016 16:13:24 -0400 schrieb Sean Mullan: > 150 "The jar will be treated as unsigned, because it > is signed with a weak algorithm that is now disabled.\n\nRe-run > jarsigner with the -verbose option for more details."}, I also wondered: what if there are multiple signatures. So a "because it is signed only with weak algorithms" might be better? Gruss Bernd
Re: RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
* Main.java 98 private static final DisabledAlgorithmConstraints SIGN_CHECK = 99 new DisabledAlgorithmConstraints( 100 DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); This should be changed to PROPERTY_JAR_DISABLED_ALGS now that the fix for 8167594 is in 9. * Resources.java 150 "The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner with the -verbose option for more details."}, Should this also have "WARNING:" at the beginning like the other 2 unsigned warning messages? * JarUtils.java 45 * a new jar entry will be created with the file name itself the content. 70 * with the file name itself the content. These 2 lines would be more understandable if you changed "itself the content" to "itself as the content". * TimestampCheck.java You will need to update this test based on the new MD5 restrictions added in 8167594. --Sean On 10/19/2016 03:36 AM, Wang Weijun wrote: Please review the code change at http://cr.openjdk.java.net/~weijun/8163304/webrev.01/ With this change, "jarsigner -verify -verbose" will print out how a jar was signed. For example, a jar which was signed and timestamped with many weak algorithms will show - Signed by "CN=old" Digest algorithm: MD2 (weak) Signature algorithm: MD2withRSA (weak), 2048-bit key Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016 Timestamp digest algorithm: MD2 (weak) Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak) WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024 Thanks Max
RFR 8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
Please review the code change at http://cr.openjdk.java.net/~weijun/8163304/webrev.01/ With this change, "jarsigner -verify -verbose" will print out how a jar was signed. For example, a jar which was signed and timestamped with many weak algorithms will show - Signed by "CN=old" Digest algorithm: MD2 (weak) Signature algorithm: MD2withRSA (weak), 2048-bit key Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016 Timestamp digest algorithm: MD2 (weak) Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak) WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024 Thanks Max