On Fri, 13 Dec 2024 15:10:15 GMT, Weijun Wang <[email protected]> wrote:
>> Traditionally, an asymmetric key has a key size. The size is displayed by
>> `keytool` and `jarsigner`, both in informational output and weak-key
>> warnings. However, for the recently added ML-DSA algorithm, key size is not
>> defined.
>>
>> Thus when an ML-DSA key is created, `keytool` shows
>>
>> Generating -1 bit ML-DSA-65 key pair...
>>
>> When the entry is being displayed by `keytool -list -v`, it shows
>>
>> Subject Public Key Algorithm: -1-bit ML-DSA-65 key
>>
>> If the algorithm is disabled, `keytool -list` shows
>>
>> <x> uses a -1-bit ML-DSA-65 key which is considered a security risk...
>>
>> Furthermore, if a JAR file is signed by ML-DSA, `jarsigner -verify` also
>> shows
>>
>> Signature algorithm: ML-DSA-65, unknown size
>>
>> or when the algorithm is disabled, it shows
>>
>> Signature algorithm: ML-DSA-65, -1-bit key (disabled)
>> The ML-DSA-65 signing key has a keysize of -1 which is considered a security
>> risk.
>>
>>
>> With this code change, a key can either has a key size, or characterized by
>> a `NamedParameterSpec`, and the display chooses one of them.
>>
>> One special case is EC keys, which have both a keysize and a
>> `NamedParameterSpec`. Both are displayed.
>
> Weijun Wang has updated the pull request incrementally with one additional
> commit since the last revision:
>
> no more combined output
src/java.base/share/classes/sun/security/tools/keytool/Resources.java line 312:
> 310: {"size.bit.alg",
> 311: "%1$d-bit %2$s"},
> 312:
> {"Generating.full.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for",
"validality" is not a word. Maybe just remove this word in the name.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22735#discussion_r1909047364
