> When a signature/digest algorithm was being checked, the algorithm > constraints checked both the signature/digest algorithm and the key to see if > they were restricted. This caused duplicate checks and was also problematic > for `jarsigner` (and `keytool`) which need to distinguish these two cases, so > that the output can properly indicate when the key is disabled but the > signature or digest alg is ok. > > To address this issue, a new `checkKey` parameter is added to the > `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and > size) is also checked, otherwise it is not. This flag is always set to > `false` by `jarsigner` when checking algs and by the JDK when checking digest > algorithms. Other small changes include changes in `SignerInfo` to use a > record to store info about the algorithms to be checked, and removing an > unnecessary CRL checking method from `AlgorithmChecker`. > > `keytool` will be enhanced in a subsequent CR to call the new methods.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Use var in for loop in SignerInfo. In TimestampCheck test, combine/simplify what messages should not be emitted when jar is signed with 512-bit RSA key. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6296/files - new: https://git.openjdk.java.net/jdk/pull/6296/files/6c1f1dd8..ac6d9436 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6296&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6296&range=00-01 Stats: 13 lines in 2 files changed: 0 ins; 8 del; 5 mod Patch: https://git.openjdk.java.net/jdk/pull/6296.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296 PR: https://git.openjdk.java.net/jdk/pull/6296
