Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

2020-04-08 Thread Hai-May Chao 
Hi Max,

Thanks for your review.
I’ve updated webrev with your comment.

Hai-May


> On Apr 7, 2020, at 8:13 PM, Weijun Wang  wrote:
> 
> Everything looks fine, except a very tiny issue:
> 
> 1332 private String verifyWithWeak(PublicKey key) {
> 1333 if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
> 1334 if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
> 1335 int kLen = KeyUtil.getKeySize(key);
> 1336 if (kLen >= 0) {
> 1337 return String.format(rb.getString("key.bit"), kLen);
> 1338 } else {
> 1339 return rb.getString("unknown.size");
> 1340 }
> 1341 } else {
> 1342 weakPublicKey = key;
> 1343 legacyAlg |= 8;
> 1344 return String.format(rb.getString("key.bit.weak"), 
> KeyUtil.getKeySize(key));
> 1345 }
> 1346 } else {
> 1347disabledAlgFound = true;
> 1348return String.format(rb.getString("key.bit.disabled"), 
> KeyUtil.getKeySize(key));
> 1349 }
> 1350 }
> 
> You can move line 1335 before line 1334 since the size is also used in the 
> else block on lines 1342-1344.
> 
> Thanks,
> Max
> 
>> On Apr 6, 2020, at 12:51 AM, Hai-May Chao  wrote:
>> 
>> Here is the webrev:
>> 
>> http://cr.openjdk.java.net/~weijun/8172404/webrev.00/
>> 
>> Thanks,
>> Hai-May
>> 
>> 
>>> On Apr 4, 2020, at 11:41 PM, Hai-May Chao  wrote:
>>> 
>>> Hi,
>>> 
>>> I'd like to request a review for:
>>> 
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404
>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640
>>> 
>>> It’d be useful to start warning users that certain algorithms and key 
>>> lengths are becoming weak, so that users could begin transition away from 
>>> them before they are actually disabled. A new security property named 
>>> jdk.security.legacyAlgorithms is added to the java.security file to list 
>>> the legacy algorithms. The keytool and jarsigner tools are enhanced to 
>>> enforce the new property and to emit the warning messages when legacy 
>>> algorithms are used.
>>> 
>>> Thanks,
>>> Hai-May
>> 
>

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

2020-04-07 Thread Weijun Wang 
Everything looks fine, except a very tiny issue:

1332 private String verifyWithWeak(PublicKey key) {
1333 if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1334 if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1335 int kLen = KeyUtil.getKeySize(key);
1336 if (kLen >= 0) {
1337 return String.format(rb.getString("key.bit"), kLen);
1338 } else {
1339 return rb.getString("unknown.size");
1340 }
1341 } else {
1342 weakPublicKey = key;
1343 legacyAlg |= 8;
1344 return String.format(rb.getString("key.bit.weak"), 
KeyUtil.getKeySize(key));
1345 }
1346 } else {
1347disabledAlgFound = true;
1348return String.format(rb.getString("key.bit.disabled"), 
KeyUtil.getKeySize(key));
1349 }
1350 }

You can move line 1335 before line 1334 since the size is also used in the else 
block on lines 1342-1344.

Thanks,
Max

> On Apr 6, 2020, at 12:51 AM, Hai-May Chao  wrote:
> 
> Here is the webrev:
> 
> http://cr.openjdk.java.net/~weijun/8172404/webrev.00/
> 
> Thanks,
> Hai-May
> 
> 
>> On Apr 4, 2020, at 11:41 PM, Hai-May Chao  wrote:
>> 
>> Hi,
>> 
>> I'd like to request a review for:
>> 
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640
>> 
>> It’d be useful to start warning users that certain algorithms and key 
>> lengths are becoming weak, so that users could begin transition away from 
>> them before they are actually disabled. A new security property named 
>> jdk.security.legacyAlgorithms is added to the java.security file to list the 
>> legacy algorithms. The keytool and jarsigner tools are enhanced to enforce 
>> the new property and to emit the warning messages when legacy algorithms are 
>> used.
>> 
>> Thanks,
>> Hai-May
>

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

2020-04-05 Thread Hai-May Chao 
Here is the webrev:

http://cr.openjdk.java.net/~weijun/8172404/webrev.00/

Thanks,
Hai-May


> On Apr 4, 2020, at 11:41 PM, Hai-May Chao  wrote:
> 
> Hi,
> 
> I'd like to request a review for:
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 
> 
> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640 
> 
> 
> It’d be useful to start warning users that certain algorithms and key lengths 
> are becoming weak, so that users could begin transition away from them before 
> they are actually disabled. A new security property named 
> jdk.security.legacyAlgorithms is added to the java.security file to list the 
> legacy algorithms. The keytool and jarsigner tools are enhanced to enforce 
> the new property and to emit the warning messages when legacy algorithms are 
> used.
> 
> Thanks,
> Hai-May

RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

2020-04-05 Thread Hai-May Chao 
Hi,

I'd like to request a review for:

Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 

CSR: https://bugs.openjdk.java.net/browse/JDK-8238640 


It’d be useful to start warning users that certain algorithms and key lengths 
are becoming weak, so that users could begin transition away from them before 
they are actually disabled. A new security property named 
jdk.security.legacyAlgorithms is added to the java.security file to list the 
legacy algorithms. The keytool and jarsigner tools are enhanced to enforce the 
new property and to emit the warning messages when legacy algorithms are used.

Thanks,
Hai-May