RFR: 8286907: keytool should warn about weak PBE algorithms [v2]
Hai-May Chao
hchao at openjdk.org
Thu Feb 2 21:17:28 UTC 2023
On Thu, 26 Jan 2023 17:39:34 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update with Max's comment
>
> Yeah, this is a little tricky. My feeling is that if you disable an algorithm like "RC2", it should cover all uses of it no matter what the keysize. If you only want to disable certain keysizes, then you should add a `keySize` constraint. We would need to make the parsing smarter so that "RC2 keySize <= 40" covers RC2_40 but not RC2_128, etc.
>
> Hmac is another good corner case. It would be nice if we could have exceptions, like "SHA512", "!HmacSHA512". But that's a little more involved, and requires some more thought as to whether that is a good idea.
@seanjmullan @wangweij Thanks for the review.
-------------
PR: https://git.openjdk.org/jdk/pull/12056
More information about the security-dev
mailing list