RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms
Weijun Wang
weijun at openjdk.java.net
Wed Apr 27 21:08:43 UTC 2022
On Wed, 27 Apr 2022 19:35:04 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Please review these changes to add DES/3DES/MD5 to `jdk.security.legacyAlgorithms` security property, and to add the legacy algorithm constraint checking to `keytool` commands that are associated with secret key entries stored in the keystore. These `keytool` commands are -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` will be able to generate warnings when it detects that the secret key based algorithms and PBE based Mac and cipher algorithms are weak. Also removes the "This algorithm will be disabled in a future update.” from the existing warnings for the asymmetric keys/certificates.
>> Will also file a CSR.
>
> Changes requested by mullan (Reviewer).
@seanjmullan Since we use symmetric keys to encrypt entries and add integrity check, should this enhancement cover them as well? For example, if a PKCS12 keystore is created with `-J-Dkeystore.pkcs12.legacy=true`, should the algorithms used be warned? BTW, in legacy mode, we use PBEWithSHA1AndRC2_40 when encrypting keys. Should the security property include "RC2" as well?
-------------
PR: https://git.openjdk.java.net/jdk/pull/8300
More information about the security-dev
mailing list