8266225: jarsigner is using incorrect security property to show weakness of certs

Reviewed-by: weijun, mullan
2025-08-27 06:45:07 +02:00 · 2021-05-11 19:37:26 +00:00 · 2021-05-11 19:37:26 +00:00 · 995e956030
commit 995e956030
parent 0a12605df8
2 changed files with 65 additions and 8 deletions
--- a/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
+++ b/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
@ -97,10 +97,14 @@ public class Main {
    private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
    private static final long ONE_YEAR = 366*24*60*60*1000L;

-    private static final DisabledAlgorithmConstraints DISABLED_CHECK =
+    private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
            new DisabledAlgorithmConstraints(
                    DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);

+    private static final DisabledAlgorithmConstraints CERTPATH_DISABLED_CHECK =
+            new DisabledAlgorithmConstraints(
+                    DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
+
    private static final DisabledAlgorithmConstraints LEGACY_CHECK =
            new DisabledAlgorithmConstraints(
                    DisabledAlgorithmConstraints.PROPERTY_SECURITY_LEGACY_ALGS);
@ -1321,7 +1325,7 @@ public class Main {
    }

    private String verifyWithWeak(String alg, Set<CryptoPrimitive> primitiveSet, boolean tsa) {
-        if (DISABLED_CHECK.permits(primitiveSet, alg, null)) {
+        if (JAR_DISABLED_CHECK.permits(primitiveSet, alg, null)) {
            if (LEGACY_CHECK.permits(primitiveSet, alg, null)) {
                return alg;
            } else {
@ -1347,7 +1351,7 @@ public class Main {

    private String verifyWithWeak(PublicKey key) {
        int kLen = KeyUtil.getKeySize(key);
-        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
+        if (JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
            if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
                if (kLen >= 0) {
                    return String.format(rb.getString("key.bit"), kLen);
@ -1366,7 +1370,7 @@ public class Main {
    }

    private void checkWeakSign(String alg, Set<CryptoPrimitive> primitiveSet, boolean tsa) {
-        if (DISABLED_CHECK.permits(primitiveSet, alg, null)) {
+        if (JAR_DISABLED_CHECK.permits(primitiveSet, alg, null)) {
            if (!LEGACY_CHECK.permits(primitiveSet, alg, null)) {
                if (primitiveSet == SIG_PRIMITIVE_SET) {
                   legacyAlg |= 2;
@ -1392,7 +1396,7 @@ public class Main {
    }

    private void checkWeakSign(PrivateKey key) {
-        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
+        if (JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
            if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
                legacyAlg |= 8;
            }
@ -1403,7 +1407,7 @@ public class Main {

    private static String checkWeakKey(PublicKey key) {
        int kLen = KeyUtil.getKeySize(key);
-        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
+        if (CERTPATH_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
            if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
                if (kLen >= 0) {
                    return String.format(rb.getString("key.bit"), kLen);
@ -1419,7 +1423,7 @@ public class Main {
    }

    private static String checkWeakAlg(String alg) {
-        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
+        if (CERTPATH_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
            if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
                return alg;
            } else {