P3
ENV: win7/x64/jre9-b150
Steps to reproduce:
0. Enable java trace
1. Import self ca cert self.valid.cert to JCP -> Security -> Manage Certificates -> Singer CA:
http://sqeweb.us.oracle.com/net/scanas415/export/deployment/crystal/DO_NOT_REMOVE_ME/jrebug/JawsTimeStampSHA1/lib/self.valid.cert
2. Disable DSA alg by adding or modifying the following property in jre_home/conf/java.security:
jdk.jar.disabledAlgorithms=MD2, DSA, RSA keySize < 1024
3. Load jnlp signed with disabled DSA alg cert: javaws http://sqeweb.us.oracle.com/net/scanas415/export/deployment/crystal/DO_NOT_REMOVE_ME/jrebug/JawsTimeStampSHA1/jnlp/testWeaklySigned_JNLP.jnlp
4. If the message "the jar may be signed by a weak algorithm that is now disabled, for example MD2 or MD5. Please turn on \"-Djava.security.debug=jar\" to get more detailed trace or go to http://www.java.com/jcpsecurity to find more information" is not shown in java trace, this bug is reproduced.
Now the message has been changed to "The following resource is signed with a weak signature algorithm SHA256withDSA and is treated as unsigned: http://127.0.0.1:8080/JawsTimeStampSHA1/classes/HelloWorldDSA.jar This algorithm is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, DSA, RSA keySize < 1024".
jre9 b150 trace:
http://scaab055.us.oracle.com:9504/runs/01913/1913126.ManualSubmit/1913126.ManualSubmit-1/html/javaws/JawsTimeStampSHA1/Javaws8165171Test_testWeaklySigned_JNLP_Trace.trace
jre9 b144 trace:
http://scaab055.us.oracle.com:9504/runs/01878/1878244.ManualSubmit/1878244.ManualSubmit-1/html/javaws/JawsTimeStampSHA1/Javaws8165171Test_testWeaklySigned_JNLP_Dialog.trace
Steps to reproduce:
0. Enable java trace
1. Import self ca cert self.valid.cert to JCP -> Security -> Manage Certificates -> Singer CA:
http://sqeweb.us.oracle.com/net/scanas415/export/deployment/crystal/DO_NOT_REMOVE_ME/jrebug/JawsTimeStampSHA1/lib/self.valid.cert
2. Disable DSA alg by adding or modifying the following property in jre_home/conf/java.security:
jdk.jar.disabledAlgorithms=MD2, DSA, RSA keySize < 1024
3. Load jnlp signed with disabled DSA alg cert: javaws http://sqeweb.us.oracle.com/net/scanas415/export/deployment/crystal/DO_NOT_REMOVE_ME/jrebug/JawsTimeStampSHA1/jnlp/testWeaklySigned_JNLP.jnlp
4. If the message "the jar may be signed by a weak algorithm that is now disabled, for example MD2 or MD5. Please turn on \"-Djava.security.debug=jar\" to get more detailed trace or go to http://www.java.com/jcpsecurity to find more information" is not shown in java trace, this bug is reproduced.
Now the message has been changed to "The following resource is signed with a weak signature algorithm SHA256withDSA and is treated as unsigned: http://127.0.0.1:8080/JawsTimeStampSHA1/classes/HelloWorldDSA.jar This algorithm is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, DSA, RSA keySize < 1024".
jre9 b150 trace:
http://scaab055.us.oracle.com:9504/runs/01913/1913126.ManualSubmit/1913126.ManualSubmit-1/html/javaws/JawsTimeStampSHA1/Javaws8165171Test_testWeaklySigned_JNLP_Trace.trace
jre9 b144 trace:
http://scaab055.us.oracle.com:9504/runs/01878/1878244.ManualSubmit/1878244.ManualSubmit-1/html/javaws/JawsTimeStampSHA1/Javaws8165171Test_testWeaklySigned_JNLP_Dialog.trace