RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v5]

Hai-May Chao hchao at openjdk.java.net
Tue May 3 14:57:18 UTC 2022 

On Mon, 2 May 2022 15:08:17 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Updated spec in java.security
>
> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2196:
> 
>> 2194: 
>> 2195:             try {
>> 2196:                 SecretKey secKey = (SecretKey) keyStore.getKey(alias, storePass);
> 
> This means any secret key entries that are protected by a different password than `storePass` will throw an `UnrecoverableKeyException` and we will not be able to check the constraints. For PKCS12 this is not an issue since `storePass` and `keyPass` have to be the same. But for other keystores like JCEKS it might be a problem. However, I note this is not really a new issue as details about secret key entries other than the fact they exist as entries are not listed, presumably because we may not have the right password. 
> 
> I would recommend adding a comment explaining this.
> 
> For a future RFE, it might be useful to enhance `keytool -list -alias` to have a `-keypass` option so that additional information for entries protected by a different password than `storePass` could be listed, such as their algorithm and key size.

Comment added.

> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 5039:
> 
>> 5037:     private void checkWeakConstraint(String label, String algName,
>> 5038:             ConstraintsParameters cp) {
>> 5039:         // Do not check disabled algorithms for symmetric key based algorithms for now
> 
> If this method is intended only to be called for symmetric keys, you should change the type of `cp` to `SecretKeyConstraintsParameters`.

Done.

> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 5248:
> 
>> 5246:     private static class SecretKeyConstraintsParameters implements ConstraintsParameters {
>> 5247:         private final Key key;
>> 5248:         public SecretKeyConstraintsParameters(Key key) {
> 
> This ctor could just be private.

Done.

> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 5259:
> 
>> 5257:         @Override
>> 5258:         public Set<Key> getKeys() {
>> 5259:             return null;
> 
> You should return `Set.of(key)` here. This allows the constraints to also check the key size, if that is also restricted. I would suggest adding a test where `jdk.security.legacyAlgorithms` includes a constraint for "AES < 256" to see if `keytool` warns about it when generating an AES key of 128 bits.

Fixed this method. Changed to check the key size (via passing checkKey=true). Added the suggested test to ensure that keytool will emit warning accordingly.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8300

More information about the security-dev mailing list