On Tue, 22 Feb 2022 22:00:05 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> This fixes jarsigner to enforce checking against algorithm constraint
> properties so when the signature algorithms parameters use disabled or legacy
> algorithms, it will emit warnings accordingly. If the algorithm used in
> parameters is disabled, jarsigner treats the jar as unsigned.
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1414:
> 1412: } catch (CertPathValidatorException e) {
> 1413: disabledAlgFound = true;
> 1414: return String.format(rb.getString("with.disabled"),
> algParams);
The return value should still be the algorithm name with an optional "weak" (or
"disabled") tag, something like "RSASSA-PSS (weak)". However, the updated code
is now returning the string format of `algParams`, which will be
"PSSParameter... (weak)".
I'm not sure how to fix this nicely. Certainly you want to show the user why it
is weak so the weak part should be displayed. A verbose solution could be
"RSSSSA-PSS using PSSParameterSpec(SHA-256) (weak)". Hopefully the `toString()`
output of `PSSParameterSpec` is not too ugly.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7582
