This looks good, just a few comments:
KeyStoreUtil:
79 if (!ca.getSubjectDN().equals(end.getIssuerDN())) {
Use getSubjectX500Principal instead of getSubjectDN as the DN matching
algorithm is more precise.
Resources:
246 "The %1$s algorithm used as %2$s is considered a
security risk."},
I would add a few more words to this:
"The %1$s algorithm specified for the %2$s option is considered a
security risk."
We should also enhance the jarsigner doc to include these warnings.
--Sean
On 11/18/2015 01:23 AM, Wang Weijun wrote:
Hi All
Please take a look at
http://cr.openjdk.java.net/~weijun/8130132/webrev.00/
These new warnings will be added to jarsigner:
The signer's certificate is self-signed.
This jar contains entries whose signer certificate is self-signed.
The %1$s algorithm used as %2$s is considered a security risk.
For the last one, %1#s is the algorithm name (For example, MD5), %2#s is the option name which is one of
"-digestalg", "-sigalg", and "-tsadigestalg".
Also, two existing warning messages
The signer's certificate chain is not validated.
This jar contains entries whose certificate chain is not validated.
will be updated to
The signer's certificate chain is not validated. Reason: %s
This jar contains entries whose certificate chain is not validated. Reason:
%s
where %s will be the getLocalizedMessage() value of the exception caught in
certificate chain validation.
Thanks
Max
