diff -u new/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java new/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java --- new/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java 2016-10-19 15:18:20.000000000 +0800 +++ new/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java 2016-10-20 08:05:23.000000000 +0800 @@ -90,14 +90,9 @@ private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds - // PROPERTY_CERTPATH_DISABLED_ALGS is currently more restrictive than - // PROPERTY_JAR_DISABLED_ALGS and we used it at signing time. - private static final DisabledAlgorithmConstraints VERIFY_CHECK = + private static final DisabledAlgorithmConstraints DISABLED_CHECK = new DisabledAlgorithmConstraints( DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); - private static final DisabledAlgorithmConstraints SIGN_CHECK = - new DisabledAlgorithmConstraints( - DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); private static final Set DIGEST_PRIMITIVE_SET = Collections .unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); @@ -1082,7 +1077,7 @@ } private String withWeak(String alg, Set primitiveSet) { - if (VERIFY_CHECK.permits(primitiveSet, alg, null)) { + if (DISABLED_CHECK.permits(primitiveSet, alg, null)) { return alg; } else { seeWeak = true; @@ -1091,7 +1086,7 @@ } private String withWeak(PublicKey key) { - if (VERIFY_CHECK.permits(SIG_PRIMITIVE_SET, key)) { + if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { return String.format( rb.getString("key.bit"), KeyUtil.getKeySize(key)); } else { @@ -1290,19 +1285,19 @@ void signJar(String jarName, String alias) throws Exception { - if (digestalg != null && !SIGN_CHECK.permits( + if (digestalg != null && !DISABLED_CHECK.permits( DIGEST_PRIMITIVE_SET, digestalg, null)) { weakAlg |= 1; } - if (tSADigestAlg != null && !SIGN_CHECK.permits( + if (tSADigestAlg != null && !DISABLED_CHECK.permits( DIGEST_PRIMITIVE_SET, tSADigestAlg, null)) { weakAlg |= 4; } - if (sigalg != null && !SIGN_CHECK.permits( + if (sigalg != null && !DISABLED_CHECK.permits( SIG_PRIMITIVE_SET , sigalg, null)) { weakAlg |= 2; } - if (!SIGN_CHECK.permits( + if (!DISABLED_CHECK.permits( SIG_PRIMITIVE_SET, privateKey)) { weakAlg |= 8; } diff -u new/test/lib/testlibrary/jdk/testlibrary/JarUtils.java new/test/lib/testlibrary/jdk/testlibrary/JarUtils.java --- new/test/lib/testlibrary/jdk/testlibrary/JarUtils.java 2016-10-19 15:18:25.000000000 +0800 +++ new/test/lib/testlibrary/jdk/testlibrary/JarUtils.java 2016-10-20 08:05:26.000000000 +0800 @@ -42,7 +42,7 @@ /** * Create jar file with specified files. If a specified file does not exist, - * a new jar entry will be created with the file name itself the content. + * a new jar entry will be created with the file name itself as the content. */ public static void createJar(String dest, String... files) throws IOException { @@ -67,7 +67,7 @@ /** * Add or remove specified files to existing jar file. If a specified file * to be updated or added does not exist, the jar entry will be created - * with the file name itself the content. + * with the file name itself as the content. * * @param src the original jar file name * @param dest the new jar file name diff -u new/test/sun/security/tools/jarsigner/TimestampCheck.java new/test/sun/security/tools/jarsigner/TimestampCheck.java --- new/test/sun/security/tools/jarsigner/TimestampCheck.java 2016-10-19 15:18:26.000000000 +0800 +++ new/test/sun/security/tools/jarsigner/TimestampCheck.java 2016-10-20 08:05:28.000000000 +0800 @@ -290,9 +290,9 @@ } public static void main(String[] args) throws Throwable { - + prepare(); - + try (Handler tsa = Handler.init(0, "tsks");) { tsa.start(); int port = tsa.getPort(); @@ -341,25 +341,13 @@ .shouldHaveExitValue(0); checkTimestamp("tsaalg.jar", defaultPolicyId, "SHA-1"); - sign("weak", "-digestalg", "MD2", - "-sigalg", "MD2withRSA", "-tsadigestalg", "MD2") - .shouldHaveExitValue(0) - .shouldMatch("MD2.*-digestalg.*risk") - .shouldMatch("MD2.*-tsadigestalg.*risk") - .shouldMatch("MD2withRSA.*-sigalg.*risk"); - checkWeak("weak.jar"); - - // Using MD5 is a warning in signing but still accepted - // as signed in verification - sign("semiweak", "-digestalg", "MD5", - "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5") + sign("weak", "-digestalg", "MD5", + "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5") .shouldHaveExitValue(0) .shouldMatch("MD5.*-digestalg.*risk") .shouldMatch("MD5.*-tsadigestalg.*risk") .shouldMatch("MD5withRSA.*-sigalg.*risk"); - verify("semiweak.jar") - .shouldHaveExitValue(0) - .shouldContain("jar verified"); + checkWeak("weak.jar"); // When .SF or .RSA is missing or invalid checkMissingOrInvalidFiles("normal.jar"); @@ -458,7 +446,7 @@ .shouldHaveExitValue(0) .shouldMatch("SignatureException:.*Disabled"); } - + static void checkTimestamp(String file, String policyId, String digestAlg) throws Exception { try (JarFile jf = new JarFile(file)) { @@ -505,7 +493,7 @@ args.addAll(Arrays.asList(extra)); return jarsigner(args); } - + static void prepare() throws Exception { jdk.testlibrary.JarUtils.createJar("old.jar", "A"); Files.deleteIfExists(Paths.get("tsks"));