JDK-8282633 : jarsigner output does not explain why an EC key is disabled if its curve has been disabled
  • Type: Bug
  • Component: security-libs
  • Sub-Component: jdk.security
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2022-03-03
  • Updated: 2022-03-25
  • Resolved: 2022-03-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 19
19 b14Fixed
Related Reports
Relates :  
JDK-8283665 - Two Jarsigner tests needs to be updated with JDK-8267319
Description
Try disabling a curve by including its name inside the `jdk.disabled.namedCurves` security property and add `include jdk.disabled.namedCurves` in the `jdk.jar.disabledAlgorithms` security oroperty. The curve should be disabled.

If you sign a JAR file using such a key or verify a signed JAR signed with it, jarsigner will successfully point out the key is weak and the "signed" JAR is treated as unsigned. However, the warning messages do not explain why it's weak.

For the signing side, it shows

    The EC signing key has a keysize of 256 which is considered a security risk and is disabled.

For the verification side (with -verbose) it shows

    - Signed by "CN=a"
        Digest algorithm: SHA-256
        Signature algorithm: SHA256withECDSA, 256-bit key (disabled)

    WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

      jdk.jar.disabledAlgorithms=include jdk.disabled.namedCurves, MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

Here only the key algorithm and key size are displayed, but the reason why it's disabled -- the curve name -- is not there.

On the other hand, if we disable the curve in `jdk.certpath.disabledAlgorithms`, keytool is able to show

    Subject Public Key Algorithm: 256-bit EC (secp256r1) key (weak)

Here it shows both the keysize and curve name.

BTW, adding `EC keysize < 300` can reach the same result,  but in that case it's easier to understand why. Fortunately, we currently don't support multiple curves with the same keysize.
Comments
Changeset: f43ffe21 Author: Hai-May Chao <hchao@openjdk.org> Date: 2022-03-15 15:54:47 +0000 URL: https://git.openjdk.java.net/jdk/commit/f43ffe211f8ff287697092c39e4c25a16b40a383
15-03-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/7810 Date: 2022-03-14 17:41:28 +0000
14-03-2022