On Tue, 16 Nov 2021 01:41:50 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> I'm feeling we should completely dump checking for algorithms and switch to
> checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose
> one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose
> that LEN cannot be any number.
Yes, this is a good suggestion, but I think it should be tackled separately.
I'll file a separate RFE though. It would be nice if we made AlgorithmId a
public API too.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 1491:
>
>> 1489: private static String checkWeakAlg(String alg,
>> CertPathConstraintsParameters cpcp) {
>> 1490: try {
>> 1491: CERTPATH_DISABLED_CHECK.permits(alg, cpcp, false);
>
> Do we need to check AlgorithmParamters as well? Ex: if `alg` is RSASSA-PSS.
We should, but the problem is that jarsigner needs to individually test each
algorithm, so it can properly display which algorithm is restricted. So, I
think it will need to parse the RSSASSA params itself, and then call the
constraints code to check each algorithm. Let me see if I can code up something
that does that.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6296
