Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8171936

The warning message in java trace is changed for weakly signed jnlp

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 9
    • 9
    • deploy
    • b153

      ENV: win7/x64/jre9-b150
      Steps to reproduce:
      0. Enable java trace
      1. Import self ca cert self.valid.cert to JCP -> Security -> Manage Certificates -> Singer CA:
      http://sqeweb.us.oracle.com/net/scanas415/export/deployment/crystal/DO_NOT_REMOVE_ME/jrebug/JawsTimeStampSHA1/lib/self.valid.cert
      2. Disable DSA alg by adding or modifying the following property in jre_home/conf/java.security:
      jdk.jar.disabledAlgorithms=MD2, DSA, RSA keySize < 1024
      3. Load jnlp signed with disabled DSA alg cert: javaws http://sqeweb.us.oracle.com/net/scanas415/export/deployment/crystal/DO_NOT_REMOVE_ME/jrebug/JawsTimeStampSHA1/jnlp/testWeaklySigned_JNLP.jnlp
      4. If the message "the jar may be signed by a weak algorithm that is now disabled, for example MD2 or MD5. Please turn on \"-Djava.security.debug=jar\" to get more detailed trace or go to http://www.java.com/jcpsecurity to find more information" is not shown in java trace, this bug is reproduced.

      Now the message has been changed to "The following resource is signed with a weak signature algorithm SHA256withDSA and is treated as unsigned: http://127.0.0.1:8080/JawsTimeStampSHA1/classes/HelloWorldDSA.jar This algorithm is now disabled by the security property:
      jdk.jar.disabledAlgorithms=MD2, DSA, RSA keySize < 1024".


      jre9 b150 trace:
      http://scaab055.us.oracle.com:9504/runs/01913/1913126.ManualSubmit/1913126.ManualSubmit-1/html/javaws/JawsTimeStampSHA1/Javaws8165171Test_testWeaklySigned_JNLP_Trace.trace

      jre9 b144 trace:
      http://scaab055.us.oracle.com:9504/runs/01878/1878244.ManualSubmit/1878244.ManualSubmit-1/html/javaws/JawsTimeStampSHA1/Javaws8165171Test_testWeaklySigned_JNLP_Dialog.trace

            wenjyang Crystal Yang (Inactive)
            wenjyang Crystal Yang (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: