RFR: 8286907: keytool should warn about weak PBE algorithms [v2]

Sean Mullan mullan at openjdk.org
Thu Jan 26 17:42:18 UTC 2023

On Fri, 20 Jan 2023 22:03:29 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> Please review the fix to address the problem in keytool -genseckey and -importpass.
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>   Update with Max's comment

Yeah, this is a little tricky. My feeling is that if you disable an algorithm like "RC2", it should cover all uses of it no matter what the keysize. If you only want to disable certain keysizes, then you should add a keysize constraint. We would need to make the parsing smarter so that "RC keysize <= 40" covers RC_40 but not RC_128, etc.

Hmac is another good corner case. It would be nice if we could have exceptions, like "SHA512", "!HmacSHA512". But that's a little more involved, and requires some more thought as to whether that is a good idea.


PR: https://git.openjdk.org/jdk/pull/12056

More information about the security-dev mailing list