On Wed, 27 Apr 2022 19:35:04 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> SecretKeyConstraintsParameters subclass created and property description >> updated > > Changes requested by mullan (Reviewer). > @seanjmullan Since we use symmetric keys to encrypt entries and add integrity > check, should this enhancement cover them as well? For example, if a PKCS12 > keystore is created with `-J-Dkeystore.pkcs12.legacy=true`, should the > algorithms used be warned? BTW, in legacy mode, we use PBEWithSHA1AndRC2_40 > when encrypting keys. Should the security property include "RC2" as well? > > Not sure if it's doable, because those are PKCS12-specific codes. `keytool` > is not able to see them. Right, I think this would require knowledge of what keystore type is being used and parsing the PKCS12 encoded bytes which seems beyond the scope of this RFE. Also, those algorithms are disabled by default, so in some sense the user is making a decision to use them by enabling the system property and therefore are taking the risk themselves. ------------- PR: https://git.openjdk.java.net/jdk/pull/8300
