RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them
Weijun Wang
weijun.wang at oracle.com
Wed Apr 8 03:13:04 UTC 2020
Everything looks fine, except a very tiny issue:
1332 private String verifyWithWeak(PublicKey key) {
1333 if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1334 if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1335 int kLen = KeyUtil.getKeySize(key);
1336 if (kLen >= 0) {
1337 return String.format(rb.getString("key.bit"), kLen);
1338 } else {
1339 return rb.getString("unknown.size");
1340 }
1341 } else {
1342 weakPublicKey = key;
1343 legacyAlg |= 8;
1344 return String.format(rb.getString("key.bit.weak"), KeyUtil.getKeySize(key));
1345 }
1346 } else {
1347 disabledAlgFound = true;
1348 return String.format(rb.getString("key.bit.disabled"), KeyUtil.getKeySize(key));
1349 }
1350 }
You can move line 1335 before line 1334 since the size is also used in the else block on lines 1342-1344.
Thanks,
Max
> On Apr 6, 2020, at 12:51 AM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>
> Here is the webrev:
>
> http://cr.openjdk.java.net/~weijun/8172404/webrev.00/
>
> Thanks,
> Hai-May
>
>
>> On Apr 4, 2020, at 11:41 PM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>>
>> Hi,
>>
>> I'd like to request a review for:
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640
>>
>> It’d be useful to start warning users that certain algorithms and key lengths are becoming weak, so that users could begin transition away from them before they are actually disabled. A new security property named jdk.security.legacyAlgorithms is added to the java.security file to list the legacy algorithms. The keytool and jarsigner tools are enhanced to enforce the new property and to emit the warning messages when legacy algorithms are used.
>>
>> Thanks,
>> Hai-May
>
More information about the security-dev
mailing list