On Tue, 16 Nov 2021 17:53:16 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
>> 1491:
>>
>>> 1489: private static String checkWeakAlg(String alg,
>>> CertPathConstraintsParameters cpcp) {
>>> 1490: try {
>>> 1491: CERTPATH_DISABLED_CHECK.permits(alg, cpcp, false);
>>
>> Do we need to check AlgorithmParamters as well? Ex: if `alg` is RSASSA-PSS.
>
> We should, but the problem is that jarsigner needs to individually test each
> algorithm, so it can properly display which algorithm is restricted. So, I
> think it will need to parse the RSSASSA params itself, and then call the
> constraints code to check each algorithm. Let me see if I can code up
> something that does that.
I would like to defer the checking of AlgorithmParameters as part of another
bug. There are some major restructuring changes that would need to be made to
jarsigner to support this. And for RSASSA-PSS, there should not be any risk for
a while since by default jarsigner uses at least SHA-256 for the digest
algorithms in the PSS parameters.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6296
