RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

Hai-May Chao hai-may.chao at oracle.com
Wed Apr 8 06:18:32 UTC 2020 

Hi Max,

Thanks for your review.
I’ve updated webrev with your comment.

Hai-May


> On Apr 7, 2020, at 8:13 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
> Everything looks fine, except a very tiny issue:
> 
> 1332     private String verifyWithWeak(PublicKey key) {
> 1333         if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
> 1334             if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
> 1335                 int kLen = KeyUtil.getKeySize(key);
> 1336                 if (kLen >= 0) {
> 1337                     return String.format(rb.getString("key.bit"), kLen);
> 1338                 } else {
> 1339                     return rb.getString("unknown.size");
> 1340                 }
> 1341             } else {
> 1342                 weakPublicKey = key;
> 1343                 legacyAlg |= 8;
> 1344                 return String.format(rb.getString("key.bit.weak"), KeyUtil.getKeySize(key));
> 1345             }
> 1346         } else {
> 1347            disabledAlgFound = true;
> 1348            return String.format(rb.getString("key.bit.disabled"), KeyUtil.getKeySize(key));
> 1349         }
> 1350     }
> 
> You can move line 1335 before line 1334 since the size is also used in the else block on lines 1342-1344.
> 
> Thanks,
> Max
> 
>> On Apr 6, 2020, at 12:51 AM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>> 
>> Here is the webrev:
>> 
>> http://cr.openjdk.java.net/~weijun/8172404/webrev.00/
>> 
>> Thanks,
>> Hai-May
>> 
>> 
>>> On Apr 4, 2020, at 11:41 PM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>>> 
>>> Hi,
>>> 
>>> I'd like to request a review for:
>>> 
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404
>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640
>>> 
>>> It’d be useful to start warning users that certain algorithms and key lengths are becoming weak, so that users could begin transition away from them before they are actually disabled. A new security property named jdk.security.legacyAlgorithms is added to the java.security file to list the legacy algorithms. The keytool and jarsigner tools are enhanced to enforce the new property and to emit the warning messages when legacy algorithms are used.
>>> 
>>> Thanks,
>>> Hai-May
>> 
>

More information about the security-dev mailing list