RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]
Hai-May Chao
hchao at openjdk.java.net
Thu Apr 28 07:36:40 UTC 2022
On Wed, 27 Apr 2022 21:04:59 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Changes requested by mullan (Reviewer).
>
> @seanjmullan Since we use symmetric keys to encrypt entries and add integrity check, should this enhancement cover them as well? For example, if a PKCS12 keystore is created with `-J-Dkeystore.pkcs12.legacy=true`, should the algorithms used be warned? BTW, in legacy mode, we use PBEWithSHA1AndRC2_40 when encrypting keys. Should the security property include "RC2" as well?
>
> Not sure if it's doable, because those are PKCS12-specific codes. `keytool` is not able to see them.
@wangweij This is an interesting question that you raised. From keytool perspective, this security property `keystore.pkcs12.legacy` is implemented in underlying `PKCS12 KeyStore` as you pointed out. It’s not clear to me the need to add RC2 to the security property. Regarding PBEWithSHA1AndRC2_40 algorithm, the algorithm constraint checking will always flag “SHA1” as a weak algorithm prior to RC2 after decomposing this algorithm. And RC2 is not supported by the PKCS12 KeyStore already.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8300
More information about the security-dev
mailing list