Withdrawn: 8277474: jarsigner does not check if algorithm parameters are disabled

[Hai-May Chao]

On Tue, 22 Feb 2022 20:18:19 GMT, Hai-May Chao  wrote:

> This fixes jarsigner to enforce checking against algorithm constraint 
> properties so when the signature algorithms parameters use disabled or legacy 
> algorithms, it will emit warnings accordingly. If the algorithm used in 
> parameters is disabled, jarsigner treats the jar as unsigned.

This pull request has been closed without being integrated.

-

PR: https://git.openjdk.java.net/jdk/pull/7580

RFR: 8277474: jarsigner does not check if algorithm parameters are disabled

[Hai-May Chao]

This fixes jarsigner to enforce checking against algorithm constraint 
properties so when the signature algorithms parameters use disabled or legacy 
algorithms, it will emit warnings accordingly. If the algorithm used in 
parameters is disabled, jarsigner treats the jar as unsigned.

-

Commit messages:
 - 8277474: jarsigner does not check if algorithm parameters are disabled
 - Testcase updated
 - 8265765: DomainKeyStore may stop enumerating aliases if a constituting 
KeyStore is empty

Changes: https://git.openjdk.java.net/jdk/pull/7580/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=7580&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8277474
  Stats: 256 lines in 5 files changed: 240 ins; 3 del; 13 mod
  Patch: https://git.openjdk.java.net/jdk/pull/7580.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/7580/head:pull/7580

PR: https://git.openjdk.java.net/jdk/pull/7580

RFR: 8272163: Add -version option to keytool and jarsigner

[Hai-May Chao]

It'd be useful to have a -version option for keytool and jarsigner. Many other 
JDK tools already have a -version option. This is to add -version option to 
keytool and jarsigner like jar command does.

-

Commit messages:
 - 8272163: Add -version option to keytool and jarsigner

Changes: https://git.openjdk.java.net/jdk/pull/5954/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8272163
  Stats: 117 lines in 6 files changed: 116 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/5954.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/5954/head:pull/5954

PR: https://git.openjdk.java.net/jdk/pull/5954

RFR: 8266225: jarsigner is using incorrect security property to show weakness of certs

[Hai-May Chao]

Please review the change to jarsigner so it uses certpath security property in 
order to properly display the weakness of the certificate algorithms.

-

Commit messages:
 - 8266225:jarsigner is using incorrect security property to show weakness of 
certs

Changes: https://git.openjdk.java.net/jdk/pull/3905/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=3905&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8266225
  Stats: 39 lines in 2 files changed: 31 ins; 0 del; 8 mod
  Patch: https://git.openjdk.java.net/jdk/pull/3905.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/3905/head:pull/3905

PR: https://git.openjdk.java.net/jdk/pull/3905

RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si…

[Hai-May Chao]

The jarsigner tool currently provides warning associated with the signer’s cert 
when it uses weak algorithms, but not for the CA certs. This change is to 
process the signer’s cert chain to warn if CA certs use weak algorithms.

-

Commit messages:
 - 8259401: Add checking to jarsigner to warn weak algorithms used in signer’s 
cert chain

Changes: https://git.openjdk.java.net/jdk/pull/2042/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=2042&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8259401
  Stats: 125 lines in 2 files changed: 124 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/2042.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/2042/head:pull/2042

PR: https://git.openjdk.java.net/jdk/pull/2042

Integrated: 8253299: Manifest bytes are read twice when verifying a signed JAR

[Hai-May Chao]

On Wed, 18 Nov 2020 21:59:01 GMT, Hai-May Chao  wrote:

> Small change to retrieve the raw bytes of manifest during verifying signed 
> JAR.

This pull request has now been integrated.

Changeset: 9bb82232
Author:    Hai-May Chao 
Committer: Lance Andersen 
URL:   https://git.openjdk.java.net/jdk/commit/9bb82232
Stats: 6 lines in 1 file changed: 5 ins; 0 del; 1 mod

8253299: Manifest bytes are read twice when verifying a signed JAR

Reviewed-by: redestad, lancea, alanb

-

PR: https://git.openjdk.java.net/jdk/pull/1299

Re: RFR: 8253299: Manifest bytes are read twice when verifying a signed JAR

[Hai-May Chao]

On Thu, 19 Nov 2020 17:13:00 GMT, Lance Andersen  wrote:

>> Small change to retrieve the raw bytes of manifest during verifying signed 
>> JAR.
>
> Marked as reviewed by lancea (Reviewer).

Thank you all for the review. I added the noreg-trivial label to the bug.

-

PR: https://git.openjdk.java.net/jdk/pull/1299

Re: RFR: 8253299: Manifest bytes are read twice when verifying a signed JAR

[Hai-May Chao]

On Thu, 19 Nov 2020 17:20:58 GMT, Hai-May Chao  wrote:

>> Marked as reviewed by lancea (Reviewer).
>
> Thank you all for the review. I added the noreg-trivial label to the bug.

Lance, I've entered /integrate. Thank you for sponsoring this!

-

PR: https://git.openjdk.java.net/jdk/pull/1299

RFR: 8253299: Manifest bytes are read twice when verifying a signed JAR

[Hai-May Chao]

Small change to retrieve the raw bytes of manifest during verifying signed JAR.

-

Commit messages:
 - 8253299: Manifest bytes are read twice when verifying a signed JAR

Changes: https://git.openjdk.java.net/jdk/pull/1299/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=1299&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8253299
  Stats: 6 lines in 1 file changed: 5 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/1299.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/1299/head:pull/1299

PR: https://git.openjdk.java.net/jdk/pull/1299

Re: RFR: 8250968: Symlinks attributes not preserved when using jarsigner on zip files

[Hai-May Chao]

JarSigner.java #953: The output debug message can be removed from the code.
JavaUtilZipFileAccess.java #44: Change posixPerms to extraAttrs.
ZipFile.java #661: Suggest to keep the comment and update it with the 
additional 4 bits for symlink.

The rest of code changes and CSR look good.

Thanks,
Hai-May


> On Aug 28, 2020, at 7:17 AM, Seán Coffey  wrote:
> 
> I've been poking around the zip internals and am now able to locate the 16 
> bits of interest. The position of these actual bits does appear to move 
> around from one test run to another. For now, I guess it's sufficient to look 
> for the pattern of interest in the signed zip file. New testcase added.
> 
> http://cr.openjdk.java.net/~coffeys/webrev.8250968.v4/webrev/ 
> 
> regards,
> Sean.
> 
> On 27/08/2020 15:58, Weijun Wang wrote:
>>> Looks like it was a conscious design decision to only allow recording of 
>>> POSIX permission bits for this field (& 0xFFF). I don't see anything about 
>>> symlink support in zipfs docs.
>> As long as that *byte* is there and it’s not difficult to locate, we can 
>> manually add the *bit* for symlink and see if jarsigner can keep it.
>> 
>> —Max
>>