On Tue, 12 Jan 2021 20:57:41 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> No warning for trusted cert's SHA1, and added debug output to test
>
> Changes requested by mullan (Reviewer).
Thanks for your review, Sean and Rajan. I've updated the webrev with your
comments.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 1404:
>
>> 1402: }
>> 1403:
>> 1404: private String checkWeakKey(PublicKey key) {
>
> Can this method be static?
static added.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 1421:
>
>> 1419: }
>> 1420:
>> 1421: private String checkWeakAlg(String alg) {
>
> Can this method be static?
static added.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 1483:
>
>> 1481: certStr.append("\n").append(tab)
>> 1482: .append("Signature algorithm: ")
>> 1483: .append(checkWeakAlg(sigalg))
>
> If the cert is trusted, I don't think we should print a warning if the
> signature algorithm is weak. Otherwise this will generate false warnings for
> SHA-1 roots which are not an issue. You should check the key size though.
> And you can still print the signature algorithm. You may need to move line
> 1489-1490 before this to first determine if the cert is trusted.
Fixed to not check the signature algorithm for a trusted cert, and updated the
test accordingly.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2042
