RFR: 8353749: Improve security warning when using JKS or JCEKS keystores
Hai-May Chao
hchao at openjdk.org
Fri Oct 10 07:04:19 UTC 2025
On Mon, 6 Oct 2025 12:27:08 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> This PR improves security warning when using JKS or JCEKS keystores.
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 244:
>
>> 242: private boolean allAliasesFound = true;
>> 243: private boolean hasMultipleManifests = false;
>> 244: private boolean outdatedFormat = false;
>
> Suggest calling this variable "weakKeyStore".
Done.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 2419:
>
>> 2417: outdatedFormat = true;
>> 2418: }
>> 2419: }
>
> I don't think you need the `realStoreType` field. If you move this check to the end of the `else` block starting on line 2424 (which means the keystore is a file), and just check the `KeyStore.type()` I think it should be sufficient, ex:
>
>
> if (store.getType().equalsIgnoreCase("JKS")
> || store.getType().equalsIgnoreCase("JCEKS")) {
> weakKeyStore = true;
> }
Done.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties line 225:
>
>> 223: signature.verification.failed.on.entry.1.when.reading.via.jarinputstream=Signature verification failed on entry %s when reading via JarInputStream
>> 224: signature.verification.failed.on.entry.1.when.reading.via.jarfile=Signature verification failed on entry %s when reading via JarFile
>> 225: outdated.storetype.warning=%1$s uses outdated cryptographic algorithms and will be removed in a future release. Migrate to PKCS12 using:\n\
>
> Call this "jks.storetype.warning" so it is consistent with `keytool.properties`.
Done.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2418702964
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2418703223
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2418702879
More information about the security-dev
mailing list