On Tue, 12 Jan 2021 20:57:41 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> No warning for trusted cert's SHA1, and added debug output to test > > Changes requested by mullan (Reviewer). Thanks for your review, Sean and Rajan. I've updated the webrev with your comments. > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line > 1404: > >> 1402: } >> 1403: >> 1404: private String checkWeakKey(PublicKey key) { > > Can this method be static? static added. > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line > 1421: > >> 1419: } >> 1420: >> 1421: private String checkWeakAlg(String alg) { > > Can this method be static? static added. > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line > 1483: > >> 1481: certStr.append("\n").append(tab) >> 1482: .append("Signature algorithm: ") >> 1483: .append(checkWeakAlg(sigalg)) > > If the cert is trusted, I don't think we should print a warning if the > signature algorithm is weak. Otherwise this will generate false warnings for > SHA-1 roots which are not an issue. You should check the key size though. > And you can still print the signature algorithm. You may need to move line > 1489-1490 before this to first determine if the cert is trusted. Fixed to not check the signature algorithm for a trusted cert, and updated the test accordingly. ------------- PR: https://git.openjdk.java.net/jdk/pull/2042