On Wed, 12 Jan 2022 21:57:22 GMT, Sean Mullan <mul...@openjdk.org> wrote:

> If a JAR is signed with multiple digest algorithms and one of the digest 
> algorithms is disabled, `ManifestEntryVerifier.verify()` was incorrectly 
> returning null indicating that the jar entry has no signers. 
> 
> This fixes the issue such that an entry is considered signed if at least one 
> of the digest algorithms is not disabled and the digest match passes. This 
> makes the fix consistent with how multiple digest algorithms are handled in 
> the Signature File. This also fixes an issue in the 
> `ManifestEntryVerifier.getParams()` method in which it was incorrectly 
> checking the algorithm constraints against all signers of a JAR when it 
> should check them only against the signers of the entry that is being 
> verified. 
> 
> An additional cache has also been added to avoid checking if the digest 
> algorithm is disabled more than once for entries signed by the same set of 
> signers.

This pull request has now been integrated.

Changeset: 61b89443
Author:    Sean Mullan <mul...@openjdk.org>
URL:       
https://git.openjdk.java.net/jdk/commit/61b8944327e3d12cf58dc3f6bc45ecbeba4ef611
Stats:     264 lines in 3 files changed: 214 ins; 20 del; 30 mod

8278851: Correct signer logic for jars signed with multiple digestalgs

Reviewed-by: coffeys, weijun

-------------

PR: https://git.openjdk.java.net/jdk/pull/7056

Reply via email to