Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8266225

jarsigner is using incorrect security property to show weakness of certs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P4
    • 17
    • None
    • security-libs
    • None

    Backports

      Description

        jarsigner uses "jdk.jar.disabledAlgorithms" to suggest if a certificate is using weak algorithms but in fact it should be using "jdk.certpath.disabledAlgorithms" in this case.

        For example:

        1. Suppose you create a signer certificate that's using MD5withRSA as its signature algorithm. Note: this must not be a self-signed cert because jarsigner does not check the signature algorithm of such a cert.

        2. Sign a JAR file with this certificate using default algorithms.

        Now, remove the MD5 algorithm from "jdk.jar.disabledAlgorithms" and keep it in "jdk.certpath.disabledAlgorithms", run `jarsigner -verify -verbose -certs` on the newly signed JAR file, and it shows:

        ```
              >>> Signer
              X.509, CN=ee (ee)
              Signature algorithm: MD5withRSA, 2048-bit key
              [certificate is valid from 4/28/21, 11:58 AM to 1/23/24, 10:58 AM]
              X.509, CN=ca (ca)
              Signature algorithm: SHA256withRSA, 2048-bit key
              [trusted certificate]
              [Invalid certificate chain: Algorithm constraints check failed on signature algorithm: MD5withRSA]
        ```

        The last line comes from CertPath validation check on the cert chain and it correctly detected the weak algorithm (in "jdk.certpath.disabledAlgorithms"), but you can see there is no "disabled" label on the "Signature algorithm" line. This is incorrect and we should make the output consistent.

        In fact, reverse the setting to remove MD5 from "jdk.certpath.disabledAlgorithms" but keep it in "jdk.jar.disabledAlgorithms" shows the opposite output which is still inconsistent: There is no CertPath validation error but there's a "disabled" label there.

        Attachments

          Issue Links

            Activity

              People

                hchao Haimay Chao
                weijun Weijun Wang
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: