On Tue, 12 Jan 2021 03:34:00 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> The jarsigner tool currently provides warning associated with the signer’s
> cert when it uses weak algorithms, but not for the CA certs. This change is
> to process the signer’s cert chain to warn if CA certs use weak algorithms.
Changes requested by mullan (Reviewer).
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1404:
> 1402: }
> 1403:
> 1404: private String checkWeakKey(PublicKey key) {
Can this method be static?
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1421:
> 1419: }
> 1420:
> 1421: private String checkWeakAlg(String alg) {
Can this method be static?
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1483:
> 1481: certStr.append("\n").append(tab)
> 1482: .append("Signature algorithm: ")
> 1483: .append(checkWeakAlg(sigalg))
If the cert is trusted, I don't think we should print a warning if the
signature algorithm is weak. Otherwise this will generate false warnings for
SHA-1 roots which are not an issue. You should check the key size though. And
you can still print the signature algorithm. You may need to move line
1489-1490 before this to first determine if the cert is trusted.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2042
