On Thu, 18 Nov 2021 15:03:33 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> We should, but the problem is that jarsigner needs to individually test each >> algorithm, so it can properly display which algorithm is restricted. So, I >> think it will need to parse the RSSASSA params itself, and then call the >> constraints code to check each algorithm. Let me see if I can code up >> something that does that. > > I would like to defer the checking of AlgorithmParameters as part of another > bug. There are some major restructuring changes that would need to be made to > jarsigner to support this. And for RSASSA-PSS, there should not be any risk > for a while since by default jarsigner uses at least SHA-256 for the digest > algorithms in the PSS parameters. Looks so. ------------- PR: https://git.openjdk.java.net/jdk/pull/6296