[14] RFR: 8233228: Support named curves for all disabledAlgorithms

Weijun Wang weijun.wang at oracle.com
Tue Dec 10 01:34:10 UTC 2019


Hi Tony,

Please include this tiny change to keytool:

diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -4658,7 +4658,7 @@
                     rb.getString("whose.key.risk"),
                     label,
                     String.format(rb.getString("key.bit"),
-                            KeyUtil.getKeySize(key), key.getAlgorithm())));
+                            KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
         }
     }

Without this change, when a new keypair is generated using a disabled curve name, it will show

   The generated certificate uses a 256-bit EC key which is considered a security risk.

with it, there is a clue

   The generated certificate uses a 256-bit EC (secp256k1) key which is considered a security risk.

I used to only check the algorithm name and key size.

Thanks,
Max


> On Dec 10, 2019, at 2:04 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
> 
> I've updated the webrev to address many of the comments.  In particular adding checks when keys given directly.  Also, the changing from legacyEC hardcoded list to a security property jdk.disabled.namedCurves.
> 
> https://cr.openjdk.java.net/~ascarpino/8233228/webrev.01/
> 
> Tony



More information about the security-dev mailing list