RFR 8212003: Obsoleting the default keytool -keyalg option

Sean Mullan sean.mullan at oracle.com
Fri Nov 16 19:56:21 UTC 2018 

Looks good. Please file a follow-on issue to remove the defaults.

--Sean

On 11/16/18 9:35 AM, Weijun Wang wrote:
> Please take a review at
> 
>     https://cr.openjdk.java.net/~weijun/8212003/webrev.00/
> 
> Here, a warning is added when -keyalg is not specified, and some informational text output that were only available in verbose mode is now always printed.
> 
> Below are the exact output you will see after this change. Please note that we can only create DES SecretKey in JCEKS keystore. Also, depending on whether the subject is provided through -dname or entered interactively, the warning on the default -keyalg option appears in different places. In the interactive mode, it appears at the beginning so that user can exit earlier if the default -keyalg value is not preferred.
> 
> $ keytool -genseckey -alias a -keystore jceks -storepass changeit -storetype jceks -keypass changeit
> Generated 56-bit DES secret key
> 
> Warning:
> No -keyalg option. The default key algorithm (DES) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.
> The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore jceks -destkeystore jceks -deststoretype pkcs12".
> 
> c $ keytool -genkeypair -alias c -keystore /tmp/p12 -storepass changeit
> 
> Warning:
> No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.
> 
> What is your first and last name?
>    [Unknown]:  Duke
> What is the name of your organizational unit?
>    [Unknown]:  Java
> What is the name of your organization?
>    [Unknown]:  Oracle
> What is the name of your City or Locality?
>    [Unknown]:  Santa Clara
> What is the name of your State or Province?
>    [Unknown]:  CA
> What is the two-letter country code for this unit?
>    [Unknown]:  US
> Is CN=Duke, OU=Java, O=Oracle, L=Santa Clara, ST=CA, C=US correct?
>    [no]:  yes
> 
> Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days
> 	for: CN=Duke, OU=Java, O=Oracle, L=Santa Clara, ST=CA, C=US
> 
> c $ keytool -genkeypair -alias d -keystore /tmp/p12 -storepass changeit -dname CN=A
> Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days
> 	for: CN=A
> 
> Warning:
> No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.
> 
> Thanks
> Max
>

More information about the security-dev mailing list