Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8266225

jarsigner is using incorrect security property to show weakness of certs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 17
    • None
    • security-libs
    • None

        jarsigner uses "jdk.jar.disabledAlgorithms" to suggest if a certificate is using weak algorithms but in fact it should be using "jdk.certpath.disabledAlgorithms" in this case.

        For example:

        1. Suppose you create a signer certificate that's using MD5withRSA as its signature algorithm. Note: this must not be a self-signed cert because jarsigner does not check the signature algorithm of such a cert.

        2. Sign a JAR file with this certificate using default algorithms.

        Now, remove the MD5 algorithm from "jdk.jar.disabledAlgorithms" and keep it in "jdk.certpath.disabledAlgorithms", run `jarsigner -verify -verbose -certs` on the newly signed JAR file, and it shows:

        ```
              >>> Signer
              X.509, CN=ee (ee)
              Signature algorithm: MD5withRSA, 2048-bit key
              [certificate is valid from 4/28/21, 11:58 AM to 1/23/24, 10:58 AM]
              X.509, CN=ca (ca)
              Signature algorithm: SHA256withRSA, 2048-bit key
              [trusted certificate]
              [Invalid certificate chain: Algorithm constraints check failed on signature algorithm: MD5withRSA]
        ```

        The last line comes from CertPath validation check on the cert chain and it correctly detected the weak algorithm (in "jdk.certpath.disabledAlgorithms"), but you can see there is no "disabled" label on the "Signature algorithm" line. This is incorrect and we should make the output consistent.

        In fact, reverse the setting to remove MD5 from "jdk.certpath.disabledAlgorithms" but keep it in "jdk.jar.disabledAlgorithms" shows the opposite output which is still inconsistent: There is no CertPath validation error but there's a "disabled" label there.

              hchao Haimay Chao
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: