RFR: JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
Hello all, This fixes an issue with the TLS 1.3 CertificateRequest message. In cases where the server side can initially support multiple protocol versions by the time it issues a CertificateRequest message it collects the list of supported signature schemes for the signature_algorithms and signature_algorithms_cert extensions using all supported protocols as a filtering mechanism. This change alters the filtering process to use only the negotiated protocol, so only those sig algs allowed for that one protocol version will be asserted. Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8211866/webrev.01/ JBS: https://bugs.openjdk.java.net/browse/JDK-8211866
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
Any thought to just deprecating keytool as such and adding a new tool with more modern semantics? e.g. don't mess with what people are using (except for including a deprecation message), but fork the keytool source tree and do some developments to "ktts" - Key tool - the sequel. A lot more freedom to rethink the syntax and semantics of key pair and key store generation. Mike On 10/11/2018 11:44 AM, Sean Mullan wrote: I think if we all really think we are better off in the long run not having defaults, we probably want to do this over 2 releases and give an advance warning that the change is coming. In JDK 12, we could emit a warning, ex: $ keytool -genkeypair ... Warning: the default keypair alg (DSA) is a legacy algorithm and is no longer recommended. In the next release of the JDK, defaults will be removed and the -keyalg option must be specified. (that's a bit wordy, but you get the idea) --Sean On 10/11/18 9:30 AM, Adam Petcher wrote: On 10/10/2018 5:05 PM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. +1 In addition to the usual problems with defaults, there is also the issue that the user doesn't specify how the key pair can be used. The current default produces a key that can only be used with signatures, but if we change the default, then the key may also be used for encryption (RSA) or key agreement (EC). I worry about the problems that can arise if we change the default in a way that increases the capability of the key pair that is produced.
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
I think if we all really think we are better off in the long run not having defaults, we probably want to do this over 2 releases and give an advance warning that the change is coming. In JDK 12, we could emit a warning, ex: $ keytool -genkeypair ... Warning: the default keypair alg (DSA) is a legacy algorithm and is no longer recommended. In the next release of the JDK, defaults will be removed and the -keyalg option must be specified. (that's a bit wordy, but you get the idea) --Sean On 10/11/18 9:30 AM, Adam Petcher wrote: On 10/10/2018 5:05 PM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. +1 In addition to the usual problems with defaults, there is also the issue that the user doesn't specify how the key pair can be used. The current default produces a key that can only be used with signatures, but if we change the default, then the key may also be used for encryption (RSA) or key agreement (EC). I worry about the problems that can arise if we change the default in a way that increases the capability of the key pair that is produced.
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
On 10/10/2018 5:05 PM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. +1 In addition to the usual problems with defaults, there is also the issue that the user doesn't specify how the key pair can be used. The current default produces a key that can only be used with signatures, but if we change the default, then the key may also be used for encryption (RSA) or key agreement (EC). I worry about the problems that can arise if we change the default in a way that increases the capability of the key pair that is produced.
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
On 10/11/18 12:22 AM, Anthony Scarpino wrote:
For one, it makes the user specify what they want, perhaps learning
about certificates and making an educated choice. Secondly, and more
importantly, it would not making it our decisions what is a default
secure algorithm for all of java.
If we could start over again, I definitely agree. It might be too late
to make that kind of change now though. Moving to a middle solution
where the defaults are configurable seems like it might be best for
compatibility.
BTW, I sometimes forget about this feature, but keytool does have a
-conf option which allows you specify default options in a configuration
file, ex:
# A pre-configured options file
keytool.all = -keystore ${user.home}/ks
keytool.list = -v
keytool.genkeypair = -keyalg rsa
keytool -conf preconfig -genkeypair -alias me
This option was never documented in the keytool docs, so I'll file a bug
for that.
It doesn't specifically solve the issue but it can help avoid long
command lines and accidentally using the wrong default.
--Sean
Tony
On 10/10/2018 06:33 PM, Weijun Wang wrote:
I don't know what benefit it brings to a user to remove the default.
Except from forcing DSA users to add a -keyalg option, RSA and EC
users will not gain anything.
--Max
On Oct 11, 2018, at 5:05 AM, Anthony Scarpino
wrote:
On 10/10/2018 07:42 AM, Weijun Wang wrote:
On Oct 10, 2018, at 7:59 PM, Sean Mullan
wrote:
There is really no other reason other than DSA keys have been the
default keypairs generated by keytool for a long time, so there are
some compatibility issues we would have to think through before
changing it to another algorithm such as RSA. Weijun might have
more insight into that.
Not really. It was the default before I join Sun Microsystems many
many years ago. Maybe it was a NIST standard?
As for compatibility, as long as someone is still using DSA then
they might not be specifying the -keyalg option.
If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I
wonder if RSASSA-PSS signature can always use legacy RSA keys) or
EC? We don't have an option to specify ECCurve in keytool yet (a
string -keysize).
--Max
I would rather get rid of the default completely.
I realize there maybe scripting issues with that. If we made some
documentation guarantees a default algorithm then maybe we are stuck
with having a default and can use a security property. A part of me
thinks it would be foolish for an application to assume a default
algorithm and may deserve to be broken so they can fix it.
Even if we didn't remove defaults from older java version, in future
releases it would be nice to eliminate defaults were possible.
With regard to a replacement, I'd prefer over EC than RSA given a
choice. But either is ok.
Tony
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
On 10/10/18 4:52 PM, Michael StJohns wrote: There is really no other reason other than DSA keys have been the default keypairs generated by keytool for a long time, so there are some compatibility issues we would have to think through before changing it to another algorithm such as RSA. Weijun might have more insight into that. Not really. It was the default before I join Sun Microsystems many many years ago. I think it was made the default because at the time the RSA patent had not expired yet. JDK 1.1 (when keytool was introduced) release date: February 19, 1997 RSA patent expiration: September 21, 2000 --Sean
