On Wed, 27 Apr 2022 21:04:59 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Changes requested by mullan (Reviewer). > > @seanjmullan Since we use symmetric keys to encrypt entries and add integrity > check, should this enhancement cover them as well? For example, if a PKCS12 > keystore is created with `-J-Dkeystore.pkcs12.legacy=true`, should the > algorithms used be warned? BTW, in legacy mode, we use PBEWithSHA1AndRC2_40 > when encrypting keys. Should the security property include "RC2" as well? > > Not sure if it's doable, because those are PKCS12-specific codes. `keytool` > is not able to see them. @wangweij This is an interesting question that you raised. From keytool perspective, this security property `keystore.pkcs12.legacy` is implemented in underlying `PKCS12 KeyStore` as you pointed out. It’s not clear to me the need to add RC2 to the security property. Regarding PBEWithSHA1AndRC2_40 algorithm, the algorithm constraint checking will always flag “SHA1” as a weak algorithm prior to RC2 after decomposing this algorithm. And RC2 is not supported by the PKCS12 KeyStore already. ------------- PR: https://git.openjdk.java.net/jdk/pull/8300
