RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]

[Hai-May Chao]

On Wed, 27 Apr 2022 19:34:04 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   SecretKeyConstraintsParameters subclass created and property description updated
>
> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876:
> 
>> 1874: 
>> 1875:         CertPathConstraintsParameters cpcp =
>> 1876:                 new CertPathConstraintsParameters(secKey, null, null, null);
> 
> Using `CertPathConstraintsParameters` is a little odd here, even though it works. I suggest creating a local `SecretKeyConstraintsParameters` subclass with a ctor with just the parameters you need and overriding the methods as needed. And changing `checkWeakConstraint` to take a `ConstraintsParameters` instead of `CertPathConstraintsParameters`.

Created `SecretKeyConstraintsParameter` subclass for keytool.

> src/java.base/share/conf/security/java.security line 657:
> 
>> 655: # implementations.
>> 656: 
>> 657: jdk.security.legacyAlgorithms=SHA1, \
> 
> Since we are now warning about weak symmetric key algorithms, we should make the description of this property more general. I would change lines 641-2 to "Legacy cryptographic algorithms and key lengths".

Updated the description.

> test/jdk/sun/security/tools/keytool/ReadJar.java line 162:
> 
>> 160:                 .shouldContain("Certificate #2:")
>> 161:                 .shouldContain("Signer #2:")
>> 162:                 .shouldNotMatch("The certificate #.* of signer #.*" + "uses the SHA1withRSA.*will be disabled")
> 
> You probably don't need to check for a non-occurrence here since the message has been changed and can no longer occur.

Removed the checking for a non-occurrence from the tests.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8300