[9] RFR 8177569: keytool should not warn if signature algorithm used in cacerts is weak

Sean Mullan sean.mullan at oracle.com
Wed Mar 29 20:39:04 UTC 2017


The updated fix looks good to me.

--Sean

On 3/29/17 4:38 AM, Weijun Wang wrote:
> Webrev updated at
>
>   http://cr.openjdk.java.net/~weijun/8177569/webrev.01
>
> Changes since last version:
>
> - Trusted cert entries in the current keystore are also trusted. See the
> new isTrusted() method.
>
> - A cert is treated as a root CA cert only if -trustcacerts is specified.
>
> - In the current keytool documentation, -trustcacerts is only designed
> for -importcert, and it should have no effect on other commands.
> Therefore the internal trustcacerts flag is reset when command is not
> IMPORTCERT. We might re-consider this in a future release (JDK-8177760).
>
> - Several checkWeak() calls are moved before keyStore change so the
> check is only based on original keystore content. This prevents a new
> cert treated trusted while it is being -import'ed.
>
> - Test modifications.
>
> Thanks
> Max
>
> On 03/27/2017 09:43 AM, Weijun Wang wrote:
>> Please take a review at
>>
>>    http://cr.openjdk.java.net/~weijun/8177569/webrev.00/
>>
>> Since our implementation of CertPath validation does not check for the
>> signature algorithm of a root CA, keytool should not warn about its
>> weakness either.
>>
>> Thanks
>> Max



More information about the security-dev mailing list