[9] RFR 8177569: keytool should not warn if signature algorithm used in cacerts is weak

Weijun Wang weijun.wang at oracle.com
Wed Mar 29 08:38:37 UTC 2017


Webrev updated at

   http://cr.openjdk.java.net/~weijun/8177569/webrev.01

Changes since last version:

- Trusted cert entries in the current keystore are also trusted. See the 
new isTrusted() method.

- A cert is treated as a root CA cert only if -trustcacerts is specified.

- In the current keytool documentation, -trustcacerts is only designed 
for -importcert, and it should have no effect on other commands. 
Therefore the internal trustcacerts flag is reset when command is not 
IMPORTCERT. We might re-consider this in a future release (JDK-8177760).

- Several checkWeak() calls are moved before keyStore change so the 
check is only based on original keystore content. This prevents a new 
cert treated trusted while it is being -import'ed.

- Test modifications.

Thanks
Max

On 03/27/2017 09:43 AM, Weijun Wang wrote:
> Please take a review at
>
>    http://cr.openjdk.java.net/~weijun/8177569/webrev.00/
>
> Since our implementation of CertPath validation does not check for the
> signature algorithm of a root CA, keytool should not warn about its
> weakness either.
>
> Thanks
> Max



More information about the security-dev mailing list