[9] RFR 8177569: keytool should not warn if signature algorithm used in cacerts is weak (original) (raw)
Sean Mullan sean.mullan at oracle.com
Wed Mar 29 20:39:04 UTC 2017
- Previous message (by thread): [9] RFR 8177569: keytool should not warn if signature algorithm used in cacerts is weak
- Next message (by thread): JDK 9 RFR of JDK-8177638: com/sun/jarsigner, jdk/internal/loader (and more) are missed in TEST.group
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The updated fix looks good to me.
--Sean
On 3/29/17 4:38 AM, Weijun Wang wrote:
Webrev updated at
http://cr.openjdk.java.net/~weijun/8177569/webrev.01 Changes since last version: - Trusted cert entries in the current keystore are also trusted. See the new isTrusted() method. - A cert is treated as a root CA cert only if -trustcacerts is specified. - In the current keytool documentation, -trustcacerts is only designed for -importcert, and it should have no effect on other commands. Therefore the internal trustcacerts flag is reset when command is not IMPORTCERT. We might re-consider this in a future release (JDK-8177760). - Several checkWeak() calls are moved before keyStore change so the check is only based on original keystore content. This prevents a new cert treated trusted while it is being -import'ed. - Test modifications. Thanks Max On 03/27/2017 09:43 AM, Weijun Wang wrote: Please take a review at
http://cr.openjdk.java.net/~weijun/8177569/webrev.00/ Since our implementation of CertPath validation does not check for the signature algorithm of a root CA, keytool should not warn about its weakness either. Thanks Max
- Previous message (by thread): [9] RFR 8177569: keytool should not warn if signature algorithm used in cacerts is weak
- Next message (by thread): JDK 9 RFR of JDK-8177638: com/sun/jarsigner, jdk/internal/loader (and more) are missed in TEST.group
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]