[10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

Weijun Wang
Please review this trivial fix at

   http://cr.openjdk.java.net/~weijun/8185934/webrev.00/

KeyUtil.getSize() are also called elsewhere when they key is weak, where key length is not -1.

Noreg-trivial.

Thanks
Max

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

Sean Mullan
I don't think we should warn at all if the keysize cannot be determined
or is inaccessible. The corresponding algorithm constraints checks don't
restrict keys whose size cannot be determined, so keytool and jarsigner
should be consistent.

--Sean

On 8/8/17 1:49 AM, Weijun Wang wrote:

> Please review this trivial fix at
>
>     http://cr.openjdk.java.net/~weijun/8185934/webrev.00/
>
> KeyUtil.getSize() are also called elsewhere when they key is weak, where key length is not -1.
>
> Noreg-trivial.
>
> Thanks
> Max
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

Weijun Wang

On Aug 8, 2017, at 8:22 PM, Sean Mullan <[hidden email]> wrote:

I don't think we should warn at all if the keysize cannot be determined or is inaccessible. The corresponding algorithm constraints checks don't restrict keys whose size cannot be determined, so keytool and jarsigner should be consistent.

This code change is not related to weak warnings. For jarsigner, it's the signing history:

- Signed by "CN=a"
   Digest algorithm: SHA-256
   Signature algorithm: SHA256withECDSA, -1-bit key

For keytool, it's the keytool -list -v output:

Alias name: a
...
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: -1-bit EC key
Version: 3

In fact, whenever the key size appears in a weak warning, as you said, it's always a positive value that fails a constraint check. This is why I said I haven't touched those KeyUtil.getSize() outputs.

--Max


--Sean

On 8/8/17 1:49 AM, Weijun Wang wrote:
Please review this trivial fix at
  http://cr.openjdk.java.net/~weijun/8185934/webrev.00/
KeyUtil.getSize() are also called elsewhere when they key is weak, where key length is not -1.
Noreg-trivial.
Thanks
Max

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

Sean Mullan
Ok, I got it now. The method name "withWeak" threw me off a bit.

Fix looks good to me.

--Sean

On 8/8/17 9:00 AM, Weijun Wang wrote:

>
>> On Aug 8, 2017, at 8:22 PM, Sean Mullan <[hidden email]> wrote:
>>
>> I don't think we should warn at all if the keysize cannot be
>> determined or is inaccessible. The corresponding algorithm constraints
>> checks don't restrict keys whose size cannot be determined, so keytool
>> and jarsigner should be consistent.
>
> This code change is not related to weak warnings. For jarsigner, it's
> the signing history:
>
>> - Signed by "CN=a"
>>    Digest algorithm: SHA-256
>>    Signature algorithm: SHA256withECDSA, -1-bit key
>
> For keytool, it's the keytool -list -v output:
>
>> Alias name: a
>> ...
>> Signature algorithm name: SHA256withECDSA
>> Subject Public Key Algorithm: -1-bit EC key
>> Version: 3
>
> In fact, whenever the key size appears in a weak warning, as you said,
> it's always a positive value that fails a constraint check. This is why
> I said I haven't touched those KeyUtil.getSize() outputs.
>
> --Max
>
>>
>> --Sean
>>
>> On 8/8/17 1:49 AM, Weijun Wang wrote:
>>> Please review this trivial fix at
>>>   http://cr.openjdk.java.net/~weijun/8185934/webrev.00/
>>> KeyUtil.getSize() are also called elsewhere when they key is weak,
>>> where key length is not -1.
>>> Noreg-trivial.
>>> Thanks
>>> Max
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [10] RFR 8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"

Weijun Wang

> On Aug 8, 2017, at 9:17 PM, Sean Mullan <[hidden email]> wrote:
>
> Ok, I got it now. The method name "withWeak" threw me off a bit.

Maybe it should be toStringWithPerhapsWeakLabel.

--Max

Loading...