RFR: 8342062: Reformat keytool and jarsigner output for keys with a named parameter set [v5]

[Sean Mullan]

On Fri, 10 Jan 2025 01:01:28 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Traditionally, an asymmetric key has a key size. The size is displayed by `keytool` and `jarsigner`, both in informational output and weak-key warnings. However, for the recently added ML-DSA algorithm, key size is not defined.
>> 
>> Thus when an ML-DSA key is created, `keytool` shows
>> 
>> Generating -1 bit ML-DSA-65 key pair...
>> 
>> When the entry is being displayed by `keytool -list -v`, it shows
>> 
>> Subject Public Key Algorithm: -1-bit ML-DSA-65 key
>> 
>> If the algorithm is disabled, `keytool -list` shows
>> 
>> <x> uses a -1-bit ML-DSA-65 key which is considered a security risk...
>> 
>> Furthermore, if a JAR file is signed by ML-DSA, `jarsigner -verify` also shows
>> 
>> Signature algorithm: ML-DSA-65, unknown size
>> 
>> or when the algorithm is disabled, it shows
>> 
>> Signature algorithm: ML-DSA-65, -1-bit key (disabled)
>> The ML-DSA-65 signing key has a keysize of -1 which is considered a security risk.
>> 
>> 
>> With this code change, a key can either has a key size, or characterized by a `NamedParameterSpec`, and the display chooses one of them.
>> 
>> One special case is EC keys, which have both a keysize and a `NamedParameterSpec`. Both are displayed.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   one missing year change

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2068:

> 2066:      * Returns the full display name of the given key object. Could be
> 2067:      * - "X25519", if its getParams() is NamedParameterSpec
> 2068:      * - "EC (secp256r1)", if it's an EC key

Is this true if it is a 3rd-party provider? `NamedCurve` is an internal class.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22735#discussion_r1910461431