[14] RFR: 8233228: Support named curves for all disabledAlgorithms
Weijun Wang
weijun.wang at oracle.com
Tue Dec 10 01:34:10 UTC 2019
Hi Tony,
Please include this tiny change to keytool:
diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -4658,7 +4658,7 @@
rb.getString("whose.key.risk"),
label,
String.format(rb.getString("key.bit"),
- KeyUtil.getKeySize(key), key.getAlgorithm())));
+ KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
}
}
Without this change, when a new keypair is generated using a disabled curve name, it will show
The generated certificate uses a 256-bit EC key which is considered a security risk.
with it, there is a clue
The generated certificate uses a 256-bit EC (secp256k1) key which is considered a security risk.
I used to only check the algorithm name and key size.
Thanks,
Max
> On Dec 10, 2019, at 2:04 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>
> I've updated the webrev to address many of the comments. In particular adding checks when keys given directly. Also, the changing from legacyEC hardcoded list to a security property jdk.disabled.namedCurves.
>
> https://cr.openjdk.java.net/~ascarpino/8233228/webrev.01/
>
> Tony
More information about the security-dev
mailing list