Re: [10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

[Weijun Wang]

On Aug 8, 2017, at 8:22 PM, Sean Mullan <sean.mul...@oracle.com> wrote: I don't think we should warn at all if the keysize cannot be determined or is inaccessible. The corresponding algorithm constraints checks don't restrict keys whose size cannot be determined, so keytool and jarsigner should be consistent. This code change is not related to weak warnings. For jarsigner, it's the signing history: - Signed by "CN=a"    Digest algorithm: SHA-256    Signature algorithm: SHA256withECDSA, -1-bit key For keytool, it's the keytool -list -v output: Alias name: a ... Signature algorithm name: SHA256withECDSA Subject Public Key Algorithm: -1-bit EC key Version: 3 In fact, whenever the key size appears in a weak warning, as you said, it's always a positive value that fails a constraint check. This is why I said I haven't touched those KeyUtil.getSize() outputs. --Max --Sean On 8/8/17 1:49 AM, Weijun Wang wrote: Please review this trivial fix at   http://cr.openjdk.java.net/~weijun/8185934/webrev.00/ KeyUtil.getSize() are also called elsewhere when they key is weak, where key length is not -1. Noreg-trivial. Thanks Max