Code Review Request of JDK-8157035 Use stronger algorithms and keys for JSSE testing

Wang Weijun weijun.wang at oracle.com
Mon May 16 14:24:33 UTC 2016


> On May 16, 2016, at 9:34 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> On 5/16/2016 9:13 PM, Wang Weijun wrote:
>> I downloaded the files and they match what you described below.
>> 
>> Can you please added a text file describing how they are generated.
> The generation is straightforward with keytool.  May not need an
> additional text file any more.

Binary files are usually not allowed in OpenJDK. If you have to include some, add some description.

> 
>> Also, I see a unknown_keystore in the same directory still using the weak algorithms. Do you also intent to update it?
>> 
> Not sure of the use cases for unknown_keystore.  No plan to touch it
> this time.

It is used by CheckMyTrustedKeystore.java which has @ignore. So let it be.

--Max

> 
> Thanks,
> Xuelei
> 
>> Thanks
>> Max
>> 
>>> On May 16, 2016, at 8:52 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>> 
>>> Hi,
>>> 
>>> Please review this test update:
>>>  http://cr.openjdk.java.net/~xuelei/8157035/webrev.00/
>>> 
>>> test/javax/net/ssl/etc/keystore and truststore are used a lot for X.509
>>> cert based SSL/TLS authentication in JDK testing.  MD5 and SHA1 are used
>>> as the signature algorithms. The key size of EC certs is 192 bits.
>>> 
>>> MD5 has been disabled, and 192-bits EC keys will be disabled in the near
>>> future(see JDK-8148516).  It's time to use stronger algorithms (SHA256)
>>> and keys (2048-bits for RSA and 256-bits for EC).
>>> 
>>> This update renew the RSA cert with 2048-bits key and the EC cert with
>>> 256-bits key.  And the hash algorithms of the signatures are now SHA256.
>>> 
>>> Note that the DSA entry is not updated this time.
>>> 
>>> Thanks,
>>> Xuelei
>> 
> 




More information about the security-dev mailing list