> If a JAR is signed with multiple digest algorithms and one of the digest > algorithms is disabled, `ManifestEntryVerifier.verify()` was incorrectly > returning null indicating that the jar entry has no signers. > > This fixes the issue such that an entry is considered signed if at least one > of the digest algorithms is not disabled and the digest match passes. This > makes the fix consistent with how multiple digest algorithms are handled in > the Signature File. This also fixes an issue in the > `ManifestEntryVerifier.getParams()` method in which it was incorrectly > checking the algorithm constraints against all signers of a JAR when it > should check them only against the signers of the entry that is being > verified. > > An additional cache has also been added to avoid checking if the digest > algorithm is disabled more than once for entries signed by the same set of > signers.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Change permittedAlgs variable name. Move put methods out of checkConstraints(). ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/7056/files - new: https://git.openjdk.java.net/jdk/pull/7056/files/056bcff2..b551c2b9 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=7056&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=7056&range=00-01 Stats: 13 lines in 1 file changed: 3 ins; 2 del; 8 mod Patch: https://git.openjdk.java.net/jdk/pull/7056.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/7056/head:pull/7056 PR: https://git.openjdk.java.net/jdk/pull/7056