RFR: 8286907: keytool should warn about weak PBE algorithms
Weijun Wang
weijun at openjdk.org
Wed Jan 18 03:32:20 UTC 2023
On Tue, 17 Jan 2023 23:25:42 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> Please review the fix to address the problem in keytool -genseckey and -importpass.
src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1840:
> 1838: }
> 1839:
> 1840: String[] weakAlgs = new String[] {"DES", "DESEDE", "MD5", "SHA1", "RC2", "RC4"};
Instead of hardcoding the weak algorithms here, the security property `jdk.security.legacyAlgorithms` should probably be used. We can decompose the PBE algorithm name to parts and make the comparison. For example, "PBEWithSHA1AndDESede" should only match "DESede" but not "DES".
-------------
PR: https://git.openjdk.org/jdk/pull/12056
More information about the security-dev
mailing list