Code review request: 7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes (original) (raw)

Vincent Ryan vincent.x.ryan at oracle.com
Thu Jul 12 09:41:40 UTC 2012

Your fix looks good Max. Thanks.

On 07/12/12 02:42 AM, Weijun Wang wrote:

Someone else can review the 7u6 part? I need two reviewers.

Thanks Max On 07/06/2012 02:44 PM, Xuelei Fan wrote: On 7/6/2012 1:03 PM, Weijun Wang wrote:

Hi All

I have two fixes for this bug: For 7u6: http://cr.openjdk.java.net/~weijun/7180907/7u/webrev.00/ Looks fine to me, except a very minor copyright date: you may want to use 2012 for SignerInfo.java. This simply makes the name recognizable. It's safe and I don't want anything broken in 7u6. Thanks Max [1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html

-------- Original Message -------- === Description ============================================================ SHORT SUMMARY: If a signature block (.RSA, a PKCS#7 object) contains authenticated attributes and uses a SHA-256 digest, verification will fail. The digest algorithm is stored in the PKCS7 using the correct OID (2.16.840.1.101.3.4.2.1) but sun.security.x509.AlgorithmId maps this back to an algorithm with name "SHA256". This is not a valid MessageDigest name - the correct version is SHA-256. The debug output from: jarsigner -J-Djava.security.debug=all -verbose -verify i3.jar debug.txt and i3.jar available here: ftp://bugftp.us.oracle.com/upload/bug13/bug13941476 INDICATORS: COUNTER INDICATORS: TRIGGERS: KNOWN WORKAROUND: PRESENT SINCE: N/A HOW TO VERIFY: Run attached test case NOTES FOR SE: None REGRESSION:

More information about the security-dev mailing list