mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-27 06:45:07 +02:00
8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
Reviewed-by: weijun
This commit is contained in:
Sean Mullan
parent
936f7ff49e
commit
03f8c0fb93
9 changed files with 90 additions and 89 deletions
|
|
@ -1018,9 +1018,14 @@ public class Main {
|
|||
Calendar c = Calendar.getInstance(
|
||||
TimeZone.getTimeZone("UTC"),
|
||||
Locale.getDefault(Locale.Category.FORMAT));
|
||||
c.setTime(tsTokenInfo.getDate());
|
||||
Date tsDate = tsTokenInfo.getDate();
|
||||
c.setTime(tsDate);
|
||||
JarConstraintsParameters jcp =
|
||||
new JarConstraintsParameters(chain, si.getTimestamp());
|
||||
new JarConstraintsParameters(chain, tsDate);
|
||||
JarConstraintsParameters jcpts =
|
||||
new JarConstraintsParameters(
|
||||
tsSi.getCertificateChain(tsToken),
|
||||
tsDate);
|
||||
history = String.format(
|
||||
rb.getString("history.with.ts"),
|
||||
signer.getSubjectX500Principal(),
|
||||
|
|
@ -1029,9 +1034,9 @@ public class Main {
|
|||
verifyWithWeak(key, jcp),
|
||||
c,
|
||||
tsSigner.getSubjectX500Principal(),
|
||||
verifyWithWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET, true, jcp),
|
||||
verifyWithWeak(tsSigAlg, SIG_PRIMITIVE_SET, true, jcp),
|
||||
verifyWithWeak(tsKey, jcp));
|
||||
verifyWithWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET, true, jcpts),
|
||||
verifyWithWeak(tsSigAlg, SIG_PRIMITIVE_SET, true, jcpts),
|
||||
verifyWithWeak(tsKey, jcpts));
|
||||
} else {
|
||||
JarConstraintsParameters jcp =
|
||||
new JarConstraintsParameters(chain, null);
|
||||
|
|
@ -1371,13 +1376,13 @@ public class Main {
|
|||
boolean tsa, JarConstraintsParameters jcp) {
|
||||
|
||||
try {
|
||||
JAR_DISABLED_CHECK.permits(alg, jcp);
|
||||
JAR_DISABLED_CHECK.permits(alg, jcp, false);
|
||||
} catch (CertPathValidatorException e) {
|
||||
disabledAlgFound = true;
|
||||
return String.format(rb.getString("with.disabled"), alg);
|
||||
}
|
||||
try {
|
||||
LEGACY_CHECK.permits(alg, jcp);
|
||||
LEGACY_CHECK.permits(alg, jcp, false);
|
||||
return alg;
|
||||
} catch (CertPathValidatorException e) {
|
||||
if (primitiveSet == SIG_PRIMITIVE_SET) {
|
||||
|
|
@ -1399,13 +1404,13 @@ public class Main {
|
|||
private String verifyWithWeak(PublicKey key, JarConstraintsParameters jcp) {
|
||||
int kLen = KeyUtil.getKeySize(key);
|
||||
try {
|
||||
JAR_DISABLED_CHECK.permits(key.getAlgorithm(), jcp);
|
||||
JAR_DISABLED_CHECK.permits(key.getAlgorithm(), jcp, true);
|
||||
} catch (CertPathValidatorException e) {
|
||||
disabledAlgFound = true;
|
||||
return String.format(rb.getString("key.bit.disabled"), kLen);
|
||||
}
|
||||
try {
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), jcp);
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), jcp, true);
|
||||
if (kLen >= 0) {
|
||||
return String.format(rb.getString("key.bit"), kLen);
|
||||
} else {
|
||||
|
|
@ -1422,9 +1427,9 @@ public class Main {
|
|||
boolean tsa, JarConstraintsParameters jcp) {
|
||||
|
||||
try {
|
||||
JAR_DISABLED_CHECK.permits(alg, jcp);
|
||||
JAR_DISABLED_CHECK.permits(alg, jcp, false);
|
||||
try {
|
||||
LEGACY_CHECK.permits(alg, jcp);
|
||||
LEGACY_CHECK.permits(alg, jcp, false);
|
||||
} catch (CertPathValidatorException e) {
|
||||
if (primitiveSet == SIG_PRIMITIVE_SET) {
|
||||
legacyAlg |= 2;
|
||||
|
|
@ -1451,9 +1456,9 @@ public class Main {
|
|||
|
||||
private void checkWeakSign(PrivateKey key, JarConstraintsParameters jcp) {
|
||||
try {
|
||||
JAR_DISABLED_CHECK.permits(key.getAlgorithm(), jcp);
|
||||
JAR_DISABLED_CHECK.permits(key.getAlgorithm(), jcp, true);
|
||||
try {
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), jcp);
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), jcp, true);
|
||||
} catch (CertPathValidatorException e) {
|
||||
legacyAlg |= 8;
|
||||
}
|
||||
|
|
@ -1465,12 +1470,12 @@ public class Main {
|
|||
private static String checkWeakKey(PublicKey key, CertPathConstraintsParameters cpcp) {
|
||||
int kLen = KeyUtil.getKeySize(key);
|
||||
try {
|
||||
CERTPATH_DISABLED_CHECK.permits(key.getAlgorithm(), cpcp);
|
||||
CERTPATH_DISABLED_CHECK.permits(key.getAlgorithm(), cpcp, true);
|
||||
} catch (CertPathValidatorException e) {
|
||||
return String.format(rb.getString("key.bit.disabled"), kLen);
|
||||
}
|
||||
try {
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), cpcp);
|
||||
LEGACY_CHECK.permits(key.getAlgorithm(), cpcp, true);
|
||||
if (kLen >= 0) {
|
||||
return String.format(rb.getString("key.bit"), kLen);
|
||||
} else {
|
||||
|
|
@ -1483,12 +1488,12 @@ public class Main {
|
|||
|
||||
private static String checkWeakAlg(String alg, CertPathConstraintsParameters cpcp) {
|
||||
try {
|
||||
CERTPATH_DISABLED_CHECK.permits(alg, cpcp);
|
||||
CERTPATH_DISABLED_CHECK.permits(alg, cpcp, false);
|
||||
} catch (CertPathValidatorException e) {
|
||||
return String.format(rb.getString("with.disabled"), alg);
|
||||
}
|
||||
try {
|
||||
LEGACY_CHECK.permits(alg, cpcp);
|
||||
LEGACY_CHECK.permits(alg, cpcp, false);
|
||||
return alg;
|
||||
} catch (CertPathValidatorException e) {
|
||||
return String.format(rb.getString("with.weak"), alg);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue