RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v9]
Hai-May Chao
hchao at openjdk.java.net
Wed May 4 20:35:31 UTC 2022
On Thu, 28 Apr 2022 13:47:05 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Changes requested by mullan (Reviewer).
>
>> @seanjmullan Since we use symmetric keys to encrypt entries and add integrity check, should this enhancement cover them as well? For example, if a PKCS12 keystore is created with `-J-Dkeystore.pkcs12.legacy=true`, should the algorithms used be warned? BTW, in legacy mode, we use PBEWithSHA1AndRC2_40 when encrypting keys. Should the security property include "RC2" as well?
>>
>> Not sure if it's doable, because those are PKCS12-specific codes. `keytool` is not able to see them.
>
> Right, I think this would require knowledge of what keystore type is being used and parsing the PKCS12 encoded bytes which seems beyond the scope of this RFE. Also, those algorithms are disabled by default, so in some sense the user is making a decision to use them by enabling the system property and therefore are taking the risk themselves.
@seanjmullan @wangweij Thanks for the review!
-------------
PR: https://git.openjdk.java.net/jdk/pull/8300
More information about the security-dev
mailing list