On Aug 8, 2017, at 8:22 PM, Sean Mullan <sean.mul...@oracle.com> wrote:

I don't think we should warn at all if the keysize cannot be determined or is inaccessible. The corresponding algorithm constraints checks don't restrict keys whose size cannot be determined, so keytool and jarsigner should be consistent.

This code change is not related to weak warnings. For jarsigner, it's the signing history:

- Signed by "CN=a"
   Digest algorithm: SHA-256
   Signature algorithm: SHA256withECDSA, -1-bit key

For keytool, it's the keytool -list -v output:

Alias name: a
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: -1-bit EC key
Version: 3

In fact, whenever the key size appears in a weak warning, as you said, it's always a positive value that fails a constraint check. This is why I said I haven't touched those KeyUtil.getSize() outputs.



On 8/8/17 1:49 AM, Weijun Wang wrote:
Please review this trivial fix at
KeyUtil.getSize() are also called elsewhere when they key is weak, where key length is not -1.

Reply via email to