Details
-
Bug
-
Resolution: Unresolved
-
P4
-
8, 11
Description
Given a Jar signed with JDK 16.0.1, 16.0.2 and 17
When verifying it with JDK 11.0.11, 11.0.12 and 1.8.0_301, then:
Actual:
Signature algorithm: SHA256withSHA256withECDSA, 256-bit key.
Expected:
Signature algorithm: SHA256withECDSA, 256-bit key.
Note that if the verification is done with JDK 16.0.2 or 17, the expected output is shown, hence this is a compatibility issue with previous versions.
Steps to reproduce:
1- Create a jar file (any simple jar).
2- Create keystore:
keytool -genkey -keystore testKeystore.jks -alias "test" -dname "CN=EC_SHA-256" -keyalg EC -sigalg SHA256withECDSA -validity 365 -storepass testpass
3- Sign the test.jar with JDK 16.0.2 or 17:
[JDK-PATH]/bin/jarsigner -debug -verbose -digestalg SHA-256 -sigalg SHA256withECDSA -keystore testKeystore.jks -storepass testpass -signedjar signed.jar test.jar "test"
4- Verify with JDK 11.0.12 and 1.8.0_301:
[JDK-PATH]/bin/jarsigner -debug -verbose -certs -keystore testKeystore.jks -verify signed.jar "test"
When verifying it with JDK 11.0.11, 11.0.12 and 1.8.0_301, then:
Actual:
Signature algorithm: SHA256withSHA256withECDSA, 256-bit key.
Expected:
Signature algorithm: SHA256withECDSA, 256-bit key.
Note that if the verification is done with JDK 16.0.2 or 17, the expected output is shown, hence this is a compatibility issue with previous versions.
Steps to reproduce:
1- Create a jar file (any simple jar).
2- Create keystore:
keytool -genkey -keystore testKeystore.jks -alias "test" -dname "CN=EC_SHA-256" -keyalg EC -sigalg SHA256withECDSA -validity 365 -storepass testpass
3- Sign the test.jar with JDK 16.0.2 or 17:
[JDK-PATH]/bin/jarsigner -debug -verbose -digestalg SHA-256 -sigalg SHA256withECDSA -keystore testKeystore.jks -storepass testpass -signedjar signed.jar test.jar "test"
4- Verify with JDK 11.0.12 and 1.8.0_301:
[JDK-PATH]/bin/jarsigner -debug -verbose -certs -keystore testKeystore.jks -verify signed.jar "test"