RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms

Sean Mullan mullan at openjdk.java.net
Wed Apr 27 19:38:40 UTC 2022


On Tue, 19 Apr 2022 16:08:28 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

> Please review these changes to add DES/3DES/MD5 to `jdk.security.legacyAlgorithms` security property, and to add the legacy algorithm constraint checking to `keytool` commands that are associated with secret key entries stored in the keystore. These `keytool` commands are -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` will be able to generate warnings when it detects that the secret key based algorithms and PBE based Mac and cipher algorithms are weak. Also removes the "This algorithm will be disabled in a future update.” from the existing warnings for the asymmetric keys/certificates.
> Will also file a CSR.

Changes requested by mullan (Reviewer).

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876:

> 1874: 
> 1875:         CertPathConstraintsParameters cpcp =
> 1876:                 new CertPathConstraintsParameters(secKey, null, null, null);

Using `CertPathConstraintsParameters` is a little odd here, even though it works. I suggest creating a local `SecretKeyConstraintsParameters` subclass with a ctor with just the parameters you need and overriding the methods as needed. And changing `checkWeakConstraint` to take a `ConstraintsParameters` instead of `CertPathConstraintsParameters`.

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876:

> 1874: 
> 1875:         CertPathConstraintsParameters cpcp =
> 1876:                 new CertPathConstraintsParameters(secKey, null, null, null);

Using `CertPathConstraintsParameters` is a little odd here, even though it works. I suggest creating a local `SecretKeyConstraintsParameters` subclass with a ctor with just the parameters you need and overriding the methods as needed. And changing `checkWeakConstraints` to take a `ConstraintsParameters` instead of `CertPathConstraintsParameters`.

test/jdk/sun/security/tools/keytool/ReadJar.java line 162:

> 160:                 .shouldContain("Certificate #2:")
> 161:                 .shouldContain("Signer #2:")
> 162:                 .shouldNotMatch("The certificate #.* of signer #.*" + "uses the SHA1withRSA.*will be disabled")

You probably don't need to check for a non-occurrence here since the message has been changed and can no longer occur.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8300


More information about the security-dev mailing list