JDK-8320768 : Release Note: HSS/LMS: `keytool` and `jarsigner` Changes
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version: 22
  • Priority: P3
  • Status: Resolved
  • Resolution: Delivered
  • Submitted: 2023-11-27
  • Updated: 2024-02-15
  • Resolved: 2023-11-30
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 22
22Resolved
Description
The `jarsigner` and `keytool` tools have been updated to support the Hierarchical Signature System/Leighton-Micali Signature (HSS/LMS) signature algorithm. `jarsigner` supports signing JAR files with HSS/LMS and verifying JAR files signed with HSS/LMS while `keytool` supports generating HSS/LMS key pairs.

The JDK includes a security provider that supports HSS/LMS signature verification only. In order to use the key pair generation and signing features of `keytool` and `jarsigner`, a third-party provider that supports HSS/LMS key pair and signature generation and a keystore implementation that can store HSS/LMS keys is required.

Even though there’s no specific Java SE API to initialize an HSS/LMS key pair generator, `keytool` can function with a third-party `KeyPairGenerator` implementation that supports initialization via an integer keysize or a `NamedParameterSpec` object. In such cases, users are able to provide the parameters using the existing `-keysize` or `-groupname` options of `keytool`.

As part of this change, the JAR specification was modified to repurpose the existing “.DSA” extension for JAR files signed with HSS/LMS and other forthcoming signature algorithms.