RFR: 8286907: keytool should warn about weak PBE algorithms [v2]
Weijun Wang
weijun at openjdk.org
Thu Jan 26 12:33:18 UTC 2023
On Fri, 20 Jan 2023 22:03:29 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Please review the fix to address the problem in keytool -genseckey and -importpass.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Update with Max's comment
I said "one solution is to add RC2_40 and RC2_128" but I'm not sure if it's the right solution. If we resolve this issue in a separate issue, it means we believe the current decomposer implementation is correct and "RC2" SHOULD NOT cover "RC2_40". Thus. if one day we decide to disable AES, then we should disable all of AES_128, AES_192 and AES_256 since there are algorithm names like AES_192/OFB/NoPadding and PBEWithHmacSHA384AndAES_128. Let's find a agreement on this before closing out this issue.
-------------
PR: https://git.openjdk.org/jdk/pull/12056
More information about the security-dev
mailing list