Comments on the module-file format
Roger.Riggs at Sun.COM
Fri Feb 5 05:43:38 PST 2010
Using multiple signing formats increases the complexity all around,
the target needs to include the code to support all the formats, be
with multiple kinds of certificates, etc.; developers will need to given
about what formats to use, and tools are needed as well.
Unless there are non-technical reasons that force multiple signing
a single one will be easier on the eco-system. Requiring a single scheme
that always works with optional additional schemes would be a good start.
On 2/4/10 11:47 PM, Mark Reinhold wrote:
>> Date: Wed, 03 Feb 2010 17:34:10 -0500
>> From: sean.mullan at sun.com
>> I'm still coming up to speed on jigsaw itself, but I read through the latest
>> module format and had a couple of quick comments from a security perspective.
> Thanks for reading!
>> - are the current hashes intended to be primarily used as a checksum or are
>> they also designed as input into a subsequent signing operation? (or is that
>> TBD). The hash and the data can be replaced for example, by a man-in-the-middle
>> without detection.
> They're intended for both purposes, though right now they're used only
> for integrity checks.
>> - as for the signature itself, one possible suggestion is to consider reusing
>> the existing PKCS#7 format that we use for JAR signatures. PKCS#7 already
>> defines a format for holding the necessary certificates and is extensible to
>> support various signature algorithms. And of course there is already PKCS#7
>> support in the JRE. PKCS#7 is also designed to support single-pass processing.
> I'm not an expert in this area, but that makes sense to me. Are there
> other formats we should consider? Do PGP/GPG somehow map into PKCS 7?
> Where should signatures reside -- in a module file, or alongside it in a
> separate file? JAR files do the former, but some OS packaging systems
> (e.g., Debian) do the latter.
> If signatures go in module files then they should probably be near the
> front so that certificates can be checked before reading the entire file.
> - Mark
More information about the jigsaw-dev