Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

[Hai-May Chao]

Hi Max,

Thanks for your review.
I’ve updated webrev with your comment.

Hai-May


> On Apr 7, 2020, at 8:13 PM, Weijun Wang  wrote:
> 
> Everything looks fine, except a very tiny issue:
> 
> 1332 private String verifyWithWeak(PublicKey key) {
> 1333 if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
> 1334 if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
> 1335 int kLen = KeyUtil.getKeySize(key);
> 1336 if (kLen >= 0) {
> 1337 return String.format(rb.getString("key.bit"), kLen);
> 1338 } else {
> 1339 return rb.getString("unknown.size");
> 1340 }
> 1341 } else {
> 1342 weakPublicKey = key;
> 1343 legacyAlg |= 8;
> 1344 return String.format(rb.getString("key.bit.weak"), 
> KeyUtil.getKeySize(key));
> 1345 }
> 1346 } else {
> 1347disabledAlgFound = true;
> 1348return String.format(rb.getString("key.bit.disabled"), 
> KeyUtil.getKeySize(key));
> 1349 }
> 1350 }
> 
> You can move line 1335 before line 1334 since the size is also used in the 
> else block on lines 1342-1344.
> 
> Thanks,
> Max
> 
>> On Apr 6, 2020, at 12:51 AM, Hai-May Chao  wrote:
>> 
>> Here is the webrev:
>> 
>> http://cr.openjdk.java.net/~weijun/8172404/webrev.00/
>> 
>> Thanks,
>> Hai-May
>> 
>> 
>>> On Apr 4, 2020, at 11:41 PM, Hai-May Chao  wrote:
>>> 
>>> Hi,
>>> 
>>> I'd like to request a review for:
>>> 
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404
>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640
>>> 
>>> It’d be useful to start warning users that certain algorithms and key 
>>> lengths are becoming weak, so that users could begin transition away from 
>>> them before they are actually disabled. A new security property named 
>>> jdk.security.legacyAlgorithms is added to the java.security file to list 
>>> the legacy algorithms. The keytool and jarsigner tools are enhanced to 
>>> enforce the new property and to emit the warning messages when legacy 
>>> algorithms are used.
>>> 
>>> Thanks,
>>> Hai-May
>> 
> 

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

[Weijun Wang]

Everything looks fine, except a very tiny issue:

1332 private String verifyWithWeak(PublicKey key) {
1333 if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1334 if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
1335 int kLen = KeyUtil.getKeySize(key);
1336 if (kLen >= 0) {
1337 return String.format(rb.getString("key.bit"), kLen);
1338 } else {
1339 return rb.getString("unknown.size");
1340 }
1341 } else {
1342 weakPublicKey = key;
1343 legacyAlg |= 8;
1344 return String.format(rb.getString("key.bit.weak"), 
KeyUtil.getKeySize(key));
1345 }
1346 } else {
1347disabledAlgFound = true;
1348return String.format(rb.getString("key.bit.disabled"), 
KeyUtil.getKeySize(key));
1349 }
1350 }

You can move line 1335 before line 1334 since the size is also used in the else 
block on lines 1342-1344.

Thanks,
Max

> On Apr 6, 2020, at 12:51 AM, Hai-May Chao  wrote:
> 
> Here is the webrev:
> 
> http://cr.openjdk.java.net/~weijun/8172404/webrev.00/
> 
> Thanks,
> Hai-May
> 
> 
>> On Apr 4, 2020, at 11:41 PM, Hai-May Chao  wrote:
>> 
>> Hi,
>> 
>> I'd like to request a review for:
>> 
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640
>> 
>> It’d be useful to start warning users that certain algorithms and key 
>> lengths are becoming weak, so that users could begin transition away from 
>> them before they are actually disabled. A new security property named 
>> jdk.security.legacyAlgorithms is added to the java.security file to list the 
>> legacy algorithms. The keytool and jarsigner tools are enhanced to enforce 
>> the new property and to emit the warning messages when legacy algorithms are 
>> used.
>> 
>> Thanks,
>> Hai-May
> 

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

[Hai-May Chao]

Here is the webrev:

http://cr.openjdk.java.net/~weijun/8172404/webrev.00/

Thanks,
Hai-May


> On Apr 4, 2020, at 11:41 PM, Hai-May Chao  wrote:
> 
> Hi,
> 
> I'd like to request a review for:
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 
> 
> CSR: https://bugs.openjdk.java.net/browse/JDK-8238640 
> 
> 
> It’d be useful to start warning users that certain algorithms and key lengths 
> are becoming weak, so that users could begin transition away from them before 
> they are actually disabled. A new security property named 
> jdk.security.legacyAlgorithms is added to the java.security file to list the 
> legacy algorithms. The keytool and jarsigner tools are enhanced to enforce 
> the new property and to emit the warning messages when legacy algorithms are 
> used.
> 
> Thanks,
> Hai-May