RFR: JDK-8211866 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
Hello all, This fixes an issue with the TLS 1.3 CertificateRequest message. In cases where the server side can initially support multiple protocol versions by the time it issues a CertificateRequest message it collects the list of supported signature schemes for the signature_algorithms and signature_algorithms_cert extensions using all supported protocols as a filtering mechanism. This change alters the filtering process to use only the negotiated protocol, so only those sig algs allowed for that one protocol version will be asserted. Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8211866/webrev.01/ JBS: https://bugs.openjdk.java.net/browse/JDK-8211866
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
Any thought to just deprecating keytool as such and adding a new tool with more modern semantics? e.g. don't mess with what people are using (except for including a deprecation message), but fork the keytool source tree and do some developments to "ktts" - Key tool - the sequel. A lot more freedom to rethink the syntax and semantics of key pair and key store generation. Mike On 10/11/2018 11:44 AM, Sean Mullan wrote: I think if we all really think we are better off in the long run not having defaults, we probably want to do this over 2 releases and give an advance warning that the change is coming. In JDK 12, we could emit a warning, ex: $ keytool -genkeypair ... Warning: the default keypair alg (DSA) is a legacy algorithm and is no longer recommended. In the next release of the JDK, defaults will be removed and the -keyalg option must be specified. (that's a bit wordy, but you get the idea) --Sean On 10/11/18 9:30 AM, Adam Petcher wrote: On 10/10/2018 5:05 PM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. +1 In addition to the usual problems with defaults, there is also the issue that the user doesn't specify how the key pair can be used. The current default produces a key that can only be used with signatures, but if we change the default, then the key may also be used for encryption (RSA) or key agreement (EC). I worry about the problems that can arise if we change the default in a way that increases the capability of the key pair that is produced.
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
I think if we all really think we are better off in the long run not having defaults, we probably want to do this over 2 releases and give an advance warning that the change is coming. In JDK 12, we could emit a warning, ex: $ keytool -genkeypair ... Warning: the default keypair alg (DSA) is a legacy algorithm and is no longer recommended. In the next release of the JDK, defaults will be removed and the -keyalg option must be specified. (that's a bit wordy, but you get the idea) --Sean On 10/11/18 9:30 AM, Adam Petcher wrote: On 10/10/2018 5:05 PM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. +1 In addition to the usual problems with defaults, there is also the issue that the user doesn't specify how the key pair can be used. The current default produces a key that can only be used with signatures, but if we change the default, then the key may also be used for encryption (RSA) or key agreement (EC). I worry about the problems that can arise if we change the default in a way that increases the capability of the key pair that is produced.
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
On 10/10/2018 5:05 PM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. +1 In addition to the usual problems with defaults, there is also the issue that the user doesn't specify how the key pair can be used. The current default produces a key that can only be used with signatures, but if we change the default, then the key may also be used for encryption (RSA) or key agreement (EC). I worry about the problems that can arise if we change the default in a way that increases the capability of the key pair that is produced.
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
On 10/11/18 12:22 AM, Anthony Scarpino wrote: For one, it makes the user specify what they want, perhaps learning about certificates and making an educated choice. Secondly, and more importantly, it would not making it our decisions what is a default secure algorithm for all of java. If we could start over again, I definitely agree. It might be too late to make that kind of change now though. Moving to a middle solution where the defaults are configurable seems like it might be best for compatibility. BTW, I sometimes forget about this feature, but keytool does have a -conf option which allows you specify default options in a configuration file, ex: # A pre-configured options file keytool.all = -keystore ${user.home}/ks keytool.list = -v keytool.genkeypair = -keyalg rsa keytool -conf preconfig -genkeypair -alias me This option was never documented in the keytool docs, so I'll file a bug for that. It doesn't specifically solve the issue but it can help avoid long command lines and accidentally using the wrong default. --Sean Tony On 10/10/2018 06:33 PM, Weijun Wang wrote: I don't know what benefit it brings to a user to remove the default. Except from forcing DSA users to add a -keyalg option, RSA and EC users will not gain anything. --Max On Oct 11, 2018, at 5:05 AM, Anthony Scarpino wrote: On 10/10/2018 07:42 AM, Weijun Wang wrote: On Oct 10, 2018, at 7:59 PM, Sean Mullan wrote: There is really no other reason other than DSA keys have been the default keypairs generated by keytool for a long time, so there are some compatibility issues we would have to think through before changing it to another algorithm such as RSA. Weijun might have more insight into that. Not really. It was the default before I join Sun Microsystems many many years ago. Maybe it was a NIST standard? As for compatibility, as long as someone is still using DSA then they might not be specifying the -keyalg option. If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize). --Max I would rather get rid of the default completely. I realize there maybe scripting issues with that. If we made some documentation guarantees a default algorithm then maybe we are stuck with having a default and can use a security property. A part of me thinks it would be foolish for an application to assume a default algorithm and may deserve to be broken so they can fix it. Even if we didn't remove defaults from older java version, in future releases it would be nice to eliminate defaults were possible. With regard to a replacement, I'd prefer over EC than RSA given a choice. But either is ok. Tony
Re: DSA default algorithm for keytool -genkeypair. Bad choice?
On 10/10/18 4:52 PM, Michael StJohns wrote: There is really no other reason other than DSA keys have been the default keypairs generated by keytool for a long time, so there are some compatibility issues we would have to think through before changing it to another algorithm such as RSA. Weijun might have more insight into that. Not really. It was the default before I join Sun Microsystems many many years ago. I think it was made the default because at the time the RSA patent had not expired yet. JDK 1.1 (when keytool was introduced) release date: February 19, 1997 RSA patent expiration: September 21, 2000 --Sean