On Mon, 8 Nov 2021 14:04:15 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> When a signature/digest algorithm was being checked, the algorithm > constraints checked both the signature/digest algorithm and the key to see if > they were restricted. This caused duplicate checks and was also problematic > for `jarsigner` (and `keytool`) which need to distinguish these two cases, so > that the output can properly indicate when the key is disabled but the > signature or digest alg is ok. > > To address this issue, a new `checkKey` parameter is added to the > `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and > size) is also checked, otherwise it is not. This flag is always set to > `false` by `jarsigner` when checking algs and by the JDK when checking digest > algorithms. Other small changes include changes in `SignerInfo` to use a > record to store info about the algorithms to be checked, and removing an > unnecessary CRL checking method from `AlgorithmChecker`. > > `keytool` will be enhanced in a subsequent CR to call the new methods. This pull request has now been integrated. Changeset: 03f8c0fb Author: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.java.net/jdk/commit/03f8c0fb9363dc1bb07bed1ae0359c029caa0130 Stats: 121 lines in 9 files changed: 32 ins; 31 del; 58 mod 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/6296