RFR 8212003: Obsoleting the default keytool -keyalg option

Weijun Wang weijun.wang at oracle.com
Fri Nov 16 14:35:45 UTC 2018 

Please take a review at

   https://cr.openjdk.java.net/~weijun/8212003/webrev.00/

Here, a warning is added when -keyalg is not specified, and some informational text output that were only available in verbose mode is now always printed.

Below are the exact output you will see after this change. Please note that we can only create DES SecretKey in JCEKS keystore. Also, depending on whether the subject is provided through -dname or entered interactively, the warning on the default -keyalg option appears in different places. In the interactive mode, it appears at the beginning so that user can exit earlier if the default -keyalg value is not preferred.

$ keytool -genseckey -alias a -keystore jceks -storepass changeit -storetype jceks -keypass changeit
Generated 56-bit DES secret key

Warning:
No -keyalg option. The default key algorithm (DES) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.
The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore jceks -destkeystore jceks -deststoretype pkcs12".

c $ keytool -genkeypair -alias c -keystore /tmp/p12 -storepass changeit

Warning:
No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.

What is your first and last name?
  [Unknown]:  Duke
What is the name of your organizational unit?
  [Unknown]:  Java
What is the name of your organization?
  [Unknown]:  Oracle
What is the name of your City or Locality?
  [Unknown]:  Santa Clara
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Duke, OU=Java, O=Oracle, L=Santa Clara, ST=CA, C=US correct?
  [no]:  yes

Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days
	for: CN=Duke, OU=Java, O=Oracle, L=Santa Clara, ST=CA, C=US

c $ keytool -genkeypair -alias d -keystore /tmp/p12 -storepass changeit -dname CN=A
Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days
	for: CN=A

Warning:
No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.

Thanks
Max

More information about the security-dev mailing list