RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v5]

Hai-May Chao hchao at openjdk.java.net
Wed May 4 20:20:53 UTC 2022


On Tue, 3 May 2022 14:54:21 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2196:
>> 
>>> 2194: 
>>> 2195:             try {
>>> 2196:                 SecretKey secKey = (SecretKey) keyStore.getKey(alias, storePass);
>> 
>> This means any secret key entries that are protected by a different password than `storePass` will throw an `UnrecoverableKeyException` and we will not be able to check the constraints. For PKCS12 this is not an issue since `storePass` and `keyPass` have to be the same. But for other keystores like JCEKS it might be a problem. However, I note this is not really a new issue as details about secret key entries other than the fact they exist as entries are not listed, presumably because we may not have the right password. 
>> 
>> I would recommend adding a comment explaining this.
>> 
>> For a future RFE, it might be useful to enhance `keytool -list -alias` to have a `-keypass` option so that additional information for entries protected by a different password than `storePass` could be listed, such as their algorithm and key size.
>
> Comment added.

Filed RFE JDK-8286031 as suggested.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8300



More information about the security-dev mailing list