On Tue, 12 Jan 2021 03:34:00 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> The jarsigner tool currently provides warning associated with the signer’s > cert when it uses weak algorithms, but not for the CA certs. This change is > to process the signer’s cert chain to warn if CA certs use weak algorithms. Changes requested by mullan (Reviewer). src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1404: > 1402: } > 1403: > 1404: private String checkWeakKey(PublicKey key) { Can this method be static? src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1421: > 1419: } > 1420: > 1421: private String checkWeakAlg(String alg) { Can this method be static? src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1483: > 1481: certStr.append("\n").append(tab) > 1482: .append("Signature algorithm: ") > 1483: .append(checkWeakAlg(sigalg)) If the cert is trusted, I don't think we should print a warning if the signature algorithm is weak. Otherwise this will generate false warnings for SHA-1 roots which are not an issue. You should check the key size though. And you can still print the signature algorithm. You may need to move line 1489-1490 before this to first determine if the cert is trusted. ------------- PR: https://git.openjdk.java.net/jdk/pull/2042