Re: [14] RFR: 8233228: Support named curves for all disabledAlgorithms

Weijun Wang Mon, 09 Dec 2019 17:35:26 -0800

Hi Tony,

Please include this tiny change to keytool:


diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java 
b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -4658,7 +4658,7 @@
                     rb.getString("whose.key.risk"),
                     label,
                     String.format(rb.getString("key.bit"),
-                            KeyUtil.getKeySize(key), key.getAlgorithm())));
+                            KeyUtil.getKeySize(key), 
fullDisplayAlgName(key))));
         }
     }

Without this change, when a new keypair is generated using a disabled curve 
name, it will show

   The generated certificate uses a 256-bit EC key which is considered a 
security risk.

with it, there is a clue

   The generated certificate uses a 256-bit EC (secp256k1) key which is 
considered a security risk.

I used to only check the algorithm name and key size.

Thanks,
Max


> On Dec 10, 2019, at 2:04 AM, Anthony Scarpino <[email protected]> 
> wrote:
> 
> I've updated the webrev to address many of the comments.  In particular 
> adding checks when keys given directly.  Also, the changing from legacyEC 
> hardcoded list to a security property jdk.disabled.namedCurves.
> 
> https://cr.openjdk.java.net/~ascarpino/8233228/webrev.01/
> 
> Tony

Re: [14] RFR: 8233228: Support named curves for all disabledAlgorithms

Reply via email to