On Tue, 16 Nov 2021 18:10:04 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> When a signature/digest algorithm was being checked, the algorithm >> constraints checked both the signature/digest algorithm and the key to see >> if they were restricted. This caused duplicate checks and was also >> problematic for `jarsigner` (and `keytool`) which need to distinguish these >> two cases, so that the output can properly indicate when the key is disabled >> but the signature or digest alg is ok. >> >> To address this issue, a new `checkKey` parameter is added to the >> `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and >> size) is also checked, otherwise it is not. This flag is always set to >> `false` by `jarsigner` when checking algs and by the JDK when checking >> digest algorithms. Other small changes include changes in `SignerInfo` to >> use a record to store info about the algorithms to be checked, and removing >> an unnecessary CRL checking method from `AlgorithmChecker`. >> >> `keytool` will be enhanced in a subsequent CR to call the new methods. > > Sean Mullan has updated the pull request incrementally with one additional > commit since the last revision: > > Use var in for loop in SignerInfo. > In TimestampCheck test, combine/simplify what messages should not be emitted > when jar is signed with 512-bit RSA key. Marked as reviewed by weijun (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/6296
