On 3/29/17 12:13 PM, Xuelei Fan wrote:
I see the point that a trust anchor should be trusted. In application
level, we don't actually check weakness of trust anchor because the user
has made the decision to trust the cert. However, in keytool level, I
think it might be nice to warning weakness in trust anchor too so that
users can aware of weakness and make a good decision. Maybe, a user
don't want to trust a cert again if he knows there are weakness.
What do you think?
I don't think we should be checking if the signature algorithm of trust
anchors or root certificates is weak. The fingerprint of these root
certs are manually verified before they are imported into the cacerts
file. Once installed, the key is directly trusted and the signature on
the certificate is not checked when used as a trust anchor. SHA-1 and
even MD5 roots may exist in the cacerts keystore and may still be needed
to verify certificates still in use or to verify signed code that has
been previously timestamped. These would only generate false warnings
with keytool.
--Sean
Xuelei
On 3/29/2017 1:38 AM, Weijun Wang wrote:
Webrev updated at
http://cr.openjdk.java.net/~weijun/8177569/webrev.01
Changes since last version:
- Trusted cert entries in the current keystore are also trusted. See the
new isTrusted() method.
- A cert is treated as a root CA cert only if -trustcacerts is specified.
- In the current keytool documentation, -trustcacerts is only designed
for -importcert, and it should have no effect on other commands.
Therefore the internal trustcacerts flag is reset when command is not
IMPORTCERT. We might re-consider this in a future release (JDK-8177760).
- Several checkWeak() calls are moved before keyStore change so the
check is only based on original keystore content. This prevents a new
cert treated trusted while it is being -import'ed.
- Test modifications.
Thanks
Max
On 03/27/2017 09:43 AM, Weijun Wang wrote:
Please take a review at
http://cr.openjdk.java.net/~weijun/8177569/webrev.00/
Since our implementation of CertPath validation does not check for the
signature algorithm of a root CA, keytool should not warn about its
weakness either.
Thanks
Max
