RFR: 8286907: keytool should warn about weak PBE algorithms [v2]
Weijun Wang
weijun at openjdk.org
Fri Jan 27 22:04:19 UTC 2023
On Fri, 20 Jan 2023 22:03:29 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Please review the fix to address the problem in keytool -genseckey and -importpass.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Update with Max's comment
Marked as reviewed by weijun (Reviewer).
`SecretKeyFactory.getInstance("PBE")` also generates PBEwithMD5andDES keys. I believe that's because `PBE` is an alias of `PBEwithMD5andDES`. Therefore it you use this factory to generate keys for other algorithms, do not rely on the algorithm.
Anyway, we can resolve the RC2_40 and AES_128 issues in another fix. The current code change looks fine for this bug.
-------------
PR: https://git.openjdk.org/jdk/pull/12056
More information about the security-dev
mailing list