JDK-8275887 : jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 18
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2021-10-25
  • Updated: 2022-12-01
  • Resolved: 2021-11-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 18 JDK 8 Other
11.0.17-oracleFixed 17.0.5-oracleFixed 18 b25Fixed 8u351Fixed openjdk8u362Fixed
Related Reports
Blocks :  
JDK-8273236 - keytool does not accurately warn about algorithms that are disabled but have additional constraints
Relates :  
JDK-8269039 - Disable SHA-1 Signed JARs
Relates :  
JDK-8277474 - jarsigner does not check if algorithm parameters are disabled
Description
For example, this is a JAR signed with a 1024-bit key:

jarsigner -signedjar signeda.jar  -sigalg SHA256withRSA  a.jar e1
jar signed.

Warning: 
The SHA-256 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA256withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.
The RSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
The signer certificate will expire within six months.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-23).
Comments
Critical fix request [8u] This is a follow-up fix for the already submitted JDK-8269039. Test passes.
29-11-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u/pull/24 Date: 2022-11-29 07:10:58 +0000
29-11-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/197 Date: 2022-11-28 13:25:42 +0000
28-11-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u/pull/56 Date: 2022-09-16 07:27:22 +0000
16-09-2022
Critical fix request [11u] I backport the 17.0.5 change to 11 for parity with 11.0.17-oracle. I think it should go to 11.0.17 this late (as for 17.0.5) as it is a follow up to the changes of jar file signing that come with this release. Acceptable risk. Change is late and touches critical code. It changes exception messages, but I think we need this definitely. I had to resolve the change and change a record into a class. Test passes. SAP nightly testing passed.
16-09-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u/pull/354 Date: 2022-09-15 10:38:06 +0000
15-09-2022
Critical fix request [17u] I backport this for parity with 17.0.5-oracle. I think it should go to 17.0.5 this late as it is a follow up to the changes of jar file signing that come with this release. Acceptable risk. Change is late and touches critical code. It changes exception messages, but I think we need this definitely. I had to resolve the change. (Once it is pushed, I will take this as base for the 11u backport.) Test passes. SAP nightly testing passed.
15-09-2022
Changeset: 03f8c0fb Author: Sean Mullan <mullan@openjdk.org> Date: 2021-11-19 14:36:07 +0000 URL: https://git.openjdk.java.net/jdk/commit/03f8c0fb9363dc1bb07bed1ae0359c029caa0130
19-11-2021