On Thu, 28 Apr 2022 13:47:05 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Changes requested by mullan (Reviewer). > >> @seanjmullan Since we use symmetric keys to encrypt entries and add >> integrity check, should this enhancement cover them as well? For example, if >> a PKCS12 keystore is created with `-J-Dkeystore.pkcs12.legacy=true`, should >> the algorithms used be warned? BTW, in legacy mode, we use >> PBEWithSHA1AndRC2_40 when encrypting keys. Should the security property >> include "RC2" as well? >> >> Not sure if it's doable, because those are PKCS12-specific codes. `keytool` >> is not able to see them. > > Right, I think this would require knowledge of what keystore type is being > used and parsing the PKCS12 encoded bytes which seems beyond the scope of > this RFE. Also, those algorithms are disabled by default, so in some sense > the user is making a decision to use them by enabling the system property and > therefore are taking the risk themselves. @seanjmullan @wangweij Thanks for the review! ------------- PR: https://git.openjdk.java.net/jdk/pull/8300
