RFR: 8353749: Improve security warning when using JKS or JCEKS keystores
Sean Mullan
mullan at openjdk.org
Mon Oct 6 12:38:47 UTC 2025
On Fri, 3 Oct 2025 16:26:13 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
> This PR improves security warning when using JKS or JCEKS keystores.
src/java.base/share/classes/java/security/KeyStore.java line 832:
> 830: }
> 831:
> 832: private static void outdatedKeyStoreLog(String type) {
I think it would be simpler to include this warning in the constructor of `sun.security.provider.JavaKeyStore`. Then you don't need to call this method.
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 244:
> 242: private boolean allAliasesFound = true;
> 243: private boolean hasMultipleManifests = false;
> 244: private boolean outdatedFormat = false;
Suggest calling this variable "weakKeyStore".
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1490:
> 1488: warnings.add(String.format(rb.getString(
> 1489: "outdated.storetype.warning"),
> 1490: realStoreType, keystore));
You can pass `store.getType()` instead of `realStoreType` here.
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 2419:
> 2417: outdatedFormat = true;
> 2418: }
> 2419: }
I don't think you need the `realStoreType` field. If you move this check to the end of the `else` block starting on line 2424 (which means the keystore is a file), and just check the `KeyStore.type()` I think it should be sufficient, ex:
if (store.getType().equalsIgnoreCase("JKS")
|| store.getType().equalsIgnoreCase("JCEKS")) {
weakKeyStore = true;
}
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties line 225:
> 223: signature.verification.failed.on.entry.1.when.reading.via.jarinputstream=Signature verification failed on entry %s when reading via JarInputStream
> 224: signature.verification.failed.on.entry.1.when.reading.via.jarfile=Signature verification failed on entry %s when reading via JarFile
> 225: outdated.storetype.warning=%1$s uses outdated cryptographic algorithms and will be removed in a future release. Migrate to PKCS12 using:\n\
Call this "jks.storetype.warning" so it is consistent with `keytool.properties`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2406034343
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2406011582
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2406027915
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2406025879
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2406004701
More information about the security-dev
mailing list