On Thu, 16 Nov 2023 15:36:08 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Code changes for HSS/LMS that's related to keytool and jarsigner: >> >> 1. No need to add `-sigalg` for both tools when HSS/LMS key is involved, it >> can only be `HSS/LMS`. >> 2. The `digestAlgorithm` field in a PKCS7 `SignerInfo`. It must be the same >> as the hash algorithm used by the HSS/LMS key. This needs to be enforced >> both at signing and verification. >> 3. HSS/LMS reuses `.DSA` as the signature block file extension inside a >> signed JAR file > > src/java.base/share/classes/sun/security/pkcs/PKCS7.java line 872: > >> 870: */ >> 871: @Deprecated(since="16", forRemoval=true) >> 872: public static byte[] generateSignedData(byte[] signature, > > Are you sure you want to remove this as part of this change? If there was a > reason this was deprecated for removal (perhaps some apps did use it even > though they should not), then before removing it it probably makes sense to > include it in a CSR, and maybe the RN too. This internal method was called by `TimestampedSigner` which was removed long ago when we removed the support for `ContentSigner` and `jarsigner -altsign`. It has been useless for some time and this is just a cleanup. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/14254#discussion_r1395997766
