On Wed, 2 Mar 2022 16:20:53 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Removed unneeded import and updated -verbose output
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 1414:
>
>> 1412: } catch (CertPathValidatorException e) {
>> 1413: disabledAlgFound = true;
>> 1414: return String.format(rb.getString("with.disabled"),
>> algParams);
>
> The return value of this method will be shown as the "Signature algorithm" in
> the output. It's OK to include an optional "weak" (or "disabled") tag, but
> the core part still must be an algorithm name. Here, the updated code returns
> the string format of `algParams`, which is not an algorithm name.
>
> I'm not sure how to fix this nicely. Certainly you want to show the user why
> it is weak so the weak part should be displayed. A verbose solution could be
> "RSSSSA-PSS using PSSParameterSpec(...SHA-1...) (weak)", but the `toString()`
> output of `PSSParameterSpec` is quite long.
>
> Same comment to the code change below.
I add "RSSSSA-PSS using “ to the `-verbose` output as suggested, and keep the
remaining output as the parameters for the RSASSA-PSS contain hashAlgorithm and
maskGenAlgorithm that could be disabled or weak. At the same time, strip off
the saltLength and trailerField display.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 1438:
>
>> 1436: try {
>> 1437: LEGACY_CHECK.permits(algParams, jcp);
>> 1438: return alg;
>
> No need to return here since it will be returned on line 1445 anyway.
Removed.
> test/jdk/sun/security/tools/jarsigner/CheckAlgParams.java line 30:
>
>> 28: * its signature algorithm use disabled or legacy algorithms
>> 29: * @library /test/lib
>> 30: * @modules java.base/sun.security.x509
>
> Is this `@modules` line useful?
No, removed it. Thanks for the review!
-------------
PR: https://git.openjdk.java.net/jdk/pull/7582
