Bug ID: JDK-8277474 jarsigner does not check if algorithm parameters are disabled

JDK-8277474 : jarsigner does not check if algorithm parameters are disabled

Type: Bug
Component: security-libs
Sub-Component: java.security

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2021-11-19
Updated: 2022-03-25
Resolved: 2022-03-03

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 19
19 b13Fixed

Related Reports

Relates :	JDK-8275887 - jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
Relates :	JDK-8283665 - Two Jarsigner tests needs to be updated with JDK-8267319

Description

Currently, the jarsigner tool does not warn you if algorithms used in signature/digest parameters are using legacy or disabled algorithms. For example, the parameters for the RSASSA-PSS signature algorithm contain two fields (hashAlgorithm and maskGenAlgorithm) that should be checked against the algorithm constraint properties.

These algorithms however, are properly restricted at runtime, and if disabled, the JAR is treated as unsigned.

Comments

Changeset: fb6b929e Author: Hai-May Chao <hchao@openjdk.org> Date: 2022-03-03 23:01:26 +0000 URL: https://git.openjdk.java.net/jdk/commit/fb6b929e6e935baeccfd03a7fbc048cc8b531ce5

03-03-2022

A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/7582 Date: 2022-02-22 22:00:05 +0000

22-02-2022

A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/7580 Date: 2022-02-22 20:18:19 +0000

22-02-2022