Re: RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms

Wed, 27 Apr 2022 12:39:47 -0700 

On Tue, 19 Apr 2022 16:08:28 GMT, Hai-May Chao <[email protected]> wrote:

> Please review these changes to add DES/3DES/MD5 to 
> `jdk.security.legacyAlgorithms` security property, and to add the legacy 
> algorithm constraint checking to `keytool` commands that are associated with 
> secret key entries stored in the keystore. These `keytool` commands are 
> -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` 
> will be able to generate warnings when it detects that the secret key based 
> algorithms and PBE based Mac and cipher algorithms are weak. Also removes the 
> "This algorithm will be disabled in a future update.” from the existing 
> warnings for the asymmetric keys/certificates.
> Will also file a CSR.

Changes requested by mullan (Reviewer).

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876:

> 1874: 
> 1875:         CertPathConstraintsParameters cpcp =
> 1876:                 new CertPathConstraintsParameters(secKey, null, null, 
> null);

Using `CertPathConstraintsParameters` is a little odd here, even though it 
works. I suggest creating a local `SecretKeyConstraintsParameters` subclass 
with a ctor with just the parameters you need and overriding the methods as 
needed. And changing `checkWeakConstraint` to take a `ConstraintsParameters` 
instead of `CertPathConstraintsParameters`.

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876:

> 1874: 
> 1875:         CertPathConstraintsParameters cpcp =
> 1876:                 new CertPathConstraintsParameters(secKey, null, null, 
> null);

Using `CertPathConstraintsParameters` is a little odd here, even though it 
works. I suggest creating a local `SecretKeyConstraintsParameters` subclass 
with a ctor with just the parameters you need and overriding the methods as 
needed. And changing `checkWeakConstraints` to take a `ConstraintsParameters` 
instead of `CertPathConstraintsParameters`.

test/jdk/sun/security/tools/keytool/ReadJar.java line 162:

> 160:                 .shouldContain("Certificate #2:")
> 161:                 .shouldContain("Signer #2:")
> 162:                 .shouldNotMatch("The certificate #.* of signer #.*" + 
> "uses the SHA1withRSA.*will be disabled")

You probably don't need to check for a non-occurrence here since the message 
has been changed and can no longer occur.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8300

Reply via email to