RFR 8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms

Weijun Wang weijun.wang at oracle.com
Fri Feb 17 02:35:17 UTC 2017



On 02/15/2017 11:04 PM, Seán Coffey wrote:
> Hi Weijun,
>
> That's looks good to me and will be a big help for keytool usability.
>
> some thoughts :
>
> Main.java : in your printCRL method, would you consider editing the
> X509CRLImpl class to print with a customized string ? It'll make the
> code more resilient to future changes in this area
>
> i.e. something like this in X509CRLImpl :
>
>  public String toString() { printCRL(null); }
>  public String printCRL(String custom) {
>    // transfer the toString() code to here
>    // and allow for 'custom' string to be injected if non-null
>    ..
>   }
>
> in Main.java, I'd suggest an instanceof check for X509CRLImpl before
> calling printCRL(..). Could X509CRL.getSigAlgName() then be used for
> passing into the withWeak method call ?

I can probably pass DISABLED_CHECK into this new printCRL() method. Will 
try.

>
> ===
>
> Also in Main.java, maybe you could reduce
> printWeakWarningsWithoutNewLine and printWeakWarnings() to one method -
> e.g. printWeakWarnings(boolean newline)

Good idea.

Thanks
Max



More information about the security-dev mailing list