RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v5]
Hai-May Chao
hchao at openjdk.java.net
Wed May 4 20:20:53 UTC 2022
On Tue, 3 May 2022 14:54:21 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2196:
>>
>>> 2194:
>>> 2195: try {
>>> 2196: SecretKey secKey = (SecretKey) keyStore.getKey(alias, storePass);
>>
>> This means any secret key entries that are protected by a different password than `storePass` will throw an `UnrecoverableKeyException` and we will not be able to check the constraints. For PKCS12 this is not an issue since `storePass` and `keyPass` have to be the same. But for other keystores like JCEKS it might be a problem. However, I note this is not really a new issue as details about secret key entries other than the fact they exist as entries are not listed, presumably because we may not have the right password.
>>
>> I would recommend adding a comment explaining this.
>>
>> For a future RFE, it might be useful to enhance `keytool -list -alias` to have a `-keypass` option so that additional information for entries protected by a different password than `storePass` could be listed, such as their algorithm and key size.
>
> Comment added.
Filed RFE JDK-8286031 as suggested.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8300
More information about the security-dev
mailing list