Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8254943

Update the JAR file spec on EC and RSA signature block types

    Details

    • Type: CSR
    • Status: Draft
    • Priority: P4
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      File or wire format
    • Scope:
      JDK

      Description

      Summary

      Add the EC signature block file type to JAR file spec, and renew the definitions of EC and RSA types.

      Problem

      The JAR file spec only mentions signature block types of RSA and DSA, but we've added EC long long ago. We also recently added support for new signature algorithms like RSASSA-PSS and EdDSA and we are reusing the RSA and EC types.

      Solution

      See below. This is spec change only. No new code change.

      Specification

      In the JAR File Specification, add the ".EC" signature block file extension (in retrospect) and clarify the extension's dependance on private key algorithms.

      diff --git a/closed/src/java.base/share/specs/jar/jar.md b/closed/src/java.base/share/specs/jar/jar.md
      --- a/closed/src/java.base/share/specs/jar/jar.md
      +++ b/closed/src/java.base/share/specs/jar/jar.md
      @@ -1,5 +1,5 @@
       ---
      -# Copyright (c) 1993, 2018, Oracle and/or its affiliates. All rights reserved.
      +# Copyright (c) 1993, 2020, Oracle and/or its affiliates. All rights reserved.
       #
      
       title: 'JAR File Specification'
      @@ -166,11 +166,11 @@
      
       The signature file for the JAR file. 'x' stands for the base file name.
      
      --   `x.DSA`
      +-   `x.DSA`, `x.RSA`, or `x.EC`
      
       The signature block file associated with the signature file with the
       same base file name. This file stores the digital signature of the
      -corresponding signature file.
      +corresponding signature file in a PKCS #7 structure.
      
       -   `services/`
      
      @@ -420,6 +420,7 @@
       -   `META-INF/*.SF`
       -   `META-INF/*.DSA`
       -   `META-INF/*.RSA`
      +-   `META-INF/*.EC`
       -   `META-INF/SIG-*`
      
       Note that if such files are located in `META-INF` subdirectories, they
      @@ -597,11 +598,12 @@
       These are binary files not intended to be interpreted by humans.
      
       Digital signature files have the same filenames as the .SF files but
      -different extensions. The extension varies depending on the type of
      -digital signature.
      +different extensions. The extension varies depending on the algorithm
      +of the signer's private key.
      
      --   `.RSA` (PKCS7 signature, SHA-256 + RSA)
      --   `.DSA` (PKCS7 signature, DSA)
      +-   `.RSA` (for RSA or RSASSA-PSS keys)
      +-   `.DSA` (for DSA keys)
      +-   `.EC` (for EC or EdDSA keys)
      
       Digital signature files for signature algorithms not listed above must
       reside in the `META-INF` directory and have the prefix "`SIG-`". The

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                weijun Weijun Wang
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated: