> On Oct 20, 2016, at 4:13 AM, Sean Mullan <sean.mul...@oracle.com> wrote: > > * Main.java > > 98 private static final DisabledAlgorithmConstraints SIGN_CHECK = > 99 new DisabledAlgorithmConstraints( > 100 DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); > > This should be changed to PROPERTY_JAR_DISABLED_ALGS now that the fix for > 8167594 is in 9.
Yes. > > * Resources.java > > 150 "The jar will be treated as unsigned, because it is > signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner with > the -verbose option for more details."}, > > Should this also have "WARNING:" at the beginning like the other 2 unsigned > warning messages? You suggested this some time ago: I think we should say "WARNING: Signature not parsable or verifiable. ..." Without the word "WARNING", the impact (to me) seems to get lost in the verbose output. The "WARNING" part is not needed if -verbose is not specified. > > * JarUtils.java > > 45 * a new jar entry will be created with the file name itself the > content. > 70 * with the file name itself the content. > > These 2 lines would be more understandable if you changed "itself the > content" to "itself as the content". Yes. > > * TimestampCheck.java > > You will need to update this test based on the new MD5 restrictions added in > 8167594. Yes. Thanks Max > > --Sean > > On 10/19/2016 03:36 AM, Wang Weijun wrote: >> Please review the code change at >> >> http://cr.openjdk.java.net/~weijun/8163304/webrev.01/ >> >> With this change, "jarsigner -verify -verbose" will print out how a jar was >> signed. >> >> For example, a jar which was signed and timestamped with many weak >> algorithms will show >> >> - Signed by "CN=old" >> Digest algorithm: MD2 (weak) >> Signature algorithm: MD2withRSA (weak), 2048-bit key >> Timestamped by "CN=tsbad1" on Wed Oct 19 07:32:22 UTC 2016 >> Timestamp digest algorithm: MD2 (weak) >> Timestamp signature algorithm: SHA1withRSA, 512-bit key (weak) >> >> WARNING: The jar will be treated as unsigned, because it is signed with a >> weak algorithm that is now disabled by the security property: >> >> jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024 >> >> Thanks >> Max >>
