archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8277474: jarsigner does not check if algorithm parameters are disabled

Browse source 
Reviewed-by: mullan, weijun
This commit is contained in:
Hai-May Chao 2022-03-03 23:01:26 +00:00
parent 1581e3faa0
commit fb6b929e6e
4 changed files with 120 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
View file

@ -202,7 +202,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
} }
} }
private void permits(AlgorithmParameters ap, ConstraintsParameters cp) public void permits(AlgorithmParameters ap, ConstraintsParameters cp)
throws CertPathValidatorException { throws CertPathValidatorException {
switch (ap.getAlgorithm().toUpperCase(Locale.ENGLISH)) { switch (ap.getAlgorithm().toUpperCase(Locale.ENGLISH)) {

40
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
View file

@ -1021,6 +1021,8 @@ public class Main {
si.getDigestAlgorithmId(), si.getDigestAlgorithmId(),
si.getDigestEncryptionAlgorithmId(), si.getDigestEncryptionAlgorithmId(),
si.getAuthenticatedAttributes() == null); si.getAuthenticatedAttributes() == null);
AlgorithmId encAlgId = si.getDigestEncryptionAlgorithmId();
AlgorithmParameters sigAlgParams = encAlgId.getParameters();
PublicKey key = signer.getPublicKey(); PublicKey key = signer.getPublicKey();
PKCS7 tsToken = si.getTsToken(); PKCS7 tsToken = si.getTsToken();
if (tsToken != null) { if (tsToken != null) {
@ -1035,6 +1037,8 @@ public class Main {
tsSi.getDigestAlgorithmId(), tsSi.getDigestAlgorithmId(),
tsSi.getDigestEncryptionAlgorithmId(), tsSi.getDigestEncryptionAlgorithmId(),
tsSi.getAuthenticatedAttributes() == null); tsSi.getAuthenticatedAttributes() == null);
AlgorithmId tsEncAlgId = tsSi.getDigestEncryptionAlgorithmId();
AlgorithmParameters tsSigAlgParams = tsEncAlgId.getParameters();
Calendar c = Calendar.getInstance( Calendar c = Calendar.getInstance(
TimeZone.getTimeZone("UTC"), TimeZone.getTimeZone("UTC"),
Locale.getDefault(Locale.Category.FORMAT)); Locale.getDefault(Locale.Category.FORMAT));
@ -1049,13 +1053,13 @@ public class Main {
history = String.format( history = String.format(
rb.getString("history.with.ts"), rb.getString("history.with.ts"),
signer.getSubjectX500Principal(), signer.getSubjectX500Principal(),
verifyWithWeak(digestAlg, DIGEST_PRIMITIVE_SET, false, jcp), verifyWithWeak(digestAlg, DIGEST_PRIMITIVE_SET, false, jcp, null),
verifyWithWeak(sigAlg, SIG_PRIMITIVE_SET, false, jcp), verifyWithWeak(sigAlg, SIG_PRIMITIVE_SET, false, jcp, sigAlgParams),
verifyWithWeak(key, jcp), verifyWithWeak(key, jcp),
c, c,
tsSigner.getSubjectX500Principal(), tsSigner.getSubjectX500Principal(),
verifyWithWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET, true, jcpts), verifyWithWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET, true, jcpts, null),
verifyWithWeak(tsSigAlg, SIG_PRIMITIVE_SET, true, jcpts), verifyWithWeak(tsSigAlg, SIG_PRIMITIVE_SET, true, jcpts, tsSigAlgParams),
verifyWithWeak(tsKey, jcpts)); verifyWithWeak(tsKey, jcpts));
} else { } else {
JarConstraintsParameters jcp = JarConstraintsParameters jcp =
@ -1063,8 +1067,8 @@ public class Main {
history = String.format( history = String.format(
rb.getString("history.without.ts"), rb.getString("history.without.ts"),
signer.getSubjectX500Principal(), signer.getSubjectX500Principal(),
verifyWithWeak(digestAlg, DIGEST_PRIMITIVE_SET, false, jcp), verifyWithWeak(digestAlg, DIGEST_PRIMITIVE_SET, false, jcp, null),
verifyWithWeak(sigAlg, SIG_PRIMITIVE_SET, false, jcp), verifyWithWeak(sigAlg, SIG_PRIMITIVE_SET, false, jcp, sigAlgParams),
verifyWithWeak(key, jcp)); verifyWithWeak(key, jcp));
} }
} catch (Exception e) { } catch (Exception e) {
@ -1393,7 +1397,7 @@ public class Main {
} }
private String verifyWithWeak(String alg, Set<CryptoPrimitive> primitiveSet, private String verifyWithWeak(String alg, Set<CryptoPrimitive> primitiveSet,
boolean tsa, JarConstraintsParameters jcp) { boolean tsa, JarConstraintsParameters jcp, AlgorithmParameters algParams) {
try { try {
JAR_DISABLED_CHECK.permits(alg, jcp, false); JAR_DISABLED_CHECK.permits(alg, jcp, false);
@ -1401,9 +1405,18 @@ public class Main {
disabledAlgFound = true; disabledAlgFound = true;
return String.format(rb.getString("with.disabled"), alg); return String.format(rb.getString("with.disabled"), alg);
} }
if (algParams != null) {
try {
JAR_DISABLED_CHECK.permits(algParams, jcp);
} catch (CertPathValidatorException e) {
disabledAlgFound = true;
return String.format(rb.getString("with.algparams.disabled"),
alg, algParams);
}
}
try { try {
LEGACY_CHECK.permits(alg, jcp, false); LEGACY_CHECK.permits(alg, jcp, false);
return alg;
} catch (CertPathValidatorException e) { } catch (CertPathValidatorException e) {
if (primitiveSet == SIG_PRIMITIVE_SET) { if (primitiveSet == SIG_PRIMITIVE_SET) {
legacyAlg |= 2; legacyAlg |= 2;
@ -1419,6 +1432,17 @@ public class Main {
} }
return String.format(rb.getString("with.weak"), alg); return String.format(rb.getString("with.weak"), alg);
} }
if (algParams != null) {
try {
LEGACY_CHECK.permits(algParams, jcp);
} catch (CertPathValidatorException e) {
legacyAlg |= 2;
legacySigAlg = alg;
return String.format(rb.getString("with.algparams.weak"),
alg, algParams);
}
}
return alg;
} }
private String verifyWithWeak(PublicKey key, JarConstraintsParameters jcp) { private String verifyWithWeak(PublicKey key, JarConstraintsParameters jcp) {

2
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
View file

@ -176,7 +176,9 @@ public class Resources extends java.util.ListResourceBundle {
{"history.nobk", "- Missing block file for signature-related file META-INF/%s.SF"}, {"history.nobk", "- Missing block file for signature-related file META-INF/%s.SF"},
{"with.weak", "%s (weak)"}, {"with.weak", "%s (weak)"},
{"with.algparams.weak", "%1$s using %2$s (weak)"},
{"with.disabled", "%s (disabled)"}, {"with.disabled", "%s (disabled)"},
{"with.algparams.disabled", "%1$s using %2$s (disabled)"},
{"key.bit", "%d-bit key"}, {"key.bit", "%d-bit key"},
{"key.bit.weak", "%d-bit key (weak)"}, {"key.bit.weak", "%d-bit key (weak)"},
{"key.bit.disabled", "%d-bit key (disabled)"}, {"key.bit.disabled", "%d-bit key (disabled)"},

85
test/jdk/sun/security/tools/jarsigner/CheckAlgParams.java Normal file
View file

@ -0,0 +1,85 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8277474
* @summary jarsigner -verify should check if the algorithm parameters of
* its signature algorithm use disabled or legacy algorithms
* @library /test/lib
*/
import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.util.JarUtils;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
public class CheckAlgParams {
private static final String JAVA_SECURITY_FILE = "java.security";
public static void main(String[] args) throws Exception{
SecurityTools.keytool("-keystore ks -storepass changeit " +
"-genkeypair -keyalg RSASSA-PSS -alias ca -dname CN=CA " +
"-ext bc:c")
.shouldHaveExitValue(0);
JarUtils.createJarFile(Path.of("a.jar"), Path.of("."), Path.of("ks"));
SecurityTools.jarsigner("-keystore ks -storepass changeit " +
"-signedjar signeda.jar " +
"-verbose" +
" a.jar ca")
.shouldHaveExitValue(0);
Files.writeString(Files.createFile(Paths.get(JAVA_SECURITY_FILE)),
"jdk.jar.disabledAlgorithms=SHA256\n" +
"jdk.security.legacyAlgorithms=\n");
SecurityTools.jarsigner("-verify signeda.jar " +
"-J-Djava.security.properties=" +
JAVA_SECURITY_FILE +
" -keystore ks -storepass changeit -verbose -debug")
.shouldMatch("Digest algorithm: SHA-256.*(disabled)")
.shouldMatch("Signature algorithm: RSASSA-PSS using PSSParameterSpec.*hashAlgorithm=SHA-256.*(disabled)")
.shouldContain("The jar will be treated as unsigned")
.shouldHaveExitValue(0);
Files.deleteIfExists(Paths.get(JAVA_SECURITY_FILE));
Files.writeString(Files.createFile(Paths.get(JAVA_SECURITY_FILE)),
"jdk.jar.disabledAlgorithms=\n" +
"jdk.security.legacyAlgorithms=SHA256\n");
SecurityTools.jarsigner("-verify signeda.jar " +
"-J-Djava.security.properties=" +
JAVA_SECURITY_FILE +
" -keystore ks -storepass changeit -verbose -debug")
.shouldMatch("Digest algorithm: SHA-256.*(weak)")
.shouldMatch("Signature algorithm: RSASSA-PSS using PSSParameterSpec.*hashAlgorithm=SHA-256.*(weak)")
.shouldNotContain("The jar will be treated as unsigned")
.shouldHaveExitValue(0);
}
}