Ok, I got it now. The method name "withWeak" threw me off a bit.
Fix looks good to me.
On 8/8/17 9:00 AM, Weijun Wang wrote:
On Aug 8, 2017, at 8:22 PM, Sean Mullan <sean.mul...@oracle.com> wrote:
I don't think we should warn at all if the keysize cannot be
determined or is inaccessible. The corresponding algorithm constraints
checks don't restrict keys whose size cannot be determined, so keytool
and jarsigner should be consistent.
This code change is not related to weak warnings. For jarsigner, it's
the signing history:
- Signed by "CN=a"
Digest algorithm: SHA-256
Signature algorithm: SHA256withECDSA, -1-bit key
For keytool, it's the keytool -list -v output:
Alias name: a
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: -1-bit EC key
In fact, whenever the key size appears in a weak warning, as you said,
it's always a positive value that fails a constraint check. This is why
I said I haven't touched those KeyUtil.getSize() outputs.
On 8/8/17 1:49 AM, Weijun Wang wrote:
Please review this trivial fix at
KeyUtil.getSize() are also called elsewhere when they key is weak,
where key length is not -1.