On Thu, 18 Nov 2021 15:03:33 GMT, Sean Mullan wrote:
>> We should, but the problem is that jarsigner needs to individually test each
>> algorithm, so it can properly display which algorithm is restricted. So, I
>> think it will need to parse the RSSASSA params itself, and then call the
>> cons
On Tue, 16 Nov 2021 18:10:04 GMT, Sean Mullan wrote:
>> When a signature/digest algorithm was being checked, the algorithm
>> constraints checked both the signature/digest algorithm and the key to see
>> if they were restricted. This caused duplicate checks and was also
>> problematic for `jar
On Tue, 16 Nov 2021 17:53:16 GMT, Sean Mullan wrote:
>> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
>> 1491:
>>
>>> 1489: private static String checkWeakAlg(String alg,
>>> CertPathConstraintsParameters cpcp) {
>>> 1490: try {
>>> 1491: CER
> When a signature/digest algorithm was being checked, the algorithm
> constraints checked both the signature/digest algorithm and the key to see if
> they were restricted. This caused duplicate checks and was also problematic
> for `jarsigner` (and `keytool`) which need to distinguish these two
On Tue, 16 Nov 2021 01:07:55 GMT, Weijun Wang wrote:
>> When a signature/digest algorithm was being checked, the algorithm
>> constraints checked both the signature/digest algorithm and the key to see
>> if they were restricted. This caused duplicate checks and was also
>> problematic for `jar
On Tue, 16 Nov 2021 01:41:50 GMT, Weijun Wang wrote:
> I'm feeling we should completely dump checking for algorithms and switch to
> checking algorithmIds. Even if currently it's only RSASSA-PSS, but suppose
> one day we support the SHAKE256-LEN MessageDigest algorithm and I suppose
> that LEN
On Mon, 8 Nov 2021 14:04:15 GMT, Sean Mullan wrote:
> When a signature/digest algorithm was being checked, the algorithm
> constraints checked both the signature/digest algorithm and the key to see if
> they were restricted. This caused duplicate checks and was also problematic
> for `jarsigne
When a signature/digest algorithm was being checked, the algorithm constraints
checked both the signature/digest algorithm and the key to see if they were
restricted. This caused duplicate checks and was also problematic for
`jarsigner` (and `keytool`) which need to distinguish these two cases,