On Fri, 13 Dec 2024 15:10:15 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Traditionally, an asymmetric key has a key size. The size is displayed by >> `keytool` and `jarsigner`, both in informational output and weak-key >> warnings. However, for the recently added ML-DSA algorithm, key size is not >> defined. >> >> Thus when an ML-DSA key is created, `keytool` shows >> >> Generating -1 bit ML-DSA-65 key pair... >> >> When the entry is being displayed by `keytool -list -v`, it shows >> >> Subject Public Key Algorithm: -1-bit ML-DSA-65 key >> >> If the algorithm is disabled, `keytool -list` shows >> >> <x> uses a -1-bit ML-DSA-65 key which is considered a security risk... >> >> Furthermore, if a JAR file is signed by ML-DSA, `jarsigner -verify` also >> shows >> >> Signature algorithm: ML-DSA-65, unknown size >> >> or when the algorithm is disabled, it shows >> >> Signature algorithm: ML-DSA-65, -1-bit key (disabled) >> The ML-DSA-65 signing key has a keysize of -1 which is considered a security >> risk. >> >> >> With this code change, a key can either has a key size, or characterized by >> a `NamedParameterSpec`, and the display chooses one of them. >> >> One special case is EC keys, which have both a keysize and a >> `NamedParameterSpec`. Both are displayed. > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > no more combined output src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2074: > 2072: * Note: the same method appears in keytool and jarsigner which uses > 2073: * same resource string defined in their own Resources.java. > 2074: * This method appears in both keytool and jarsigner as documented here. Can we define a common method in KeyUtil class, which can return "size" and "alg", in order for its caller to construct its display? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/22735#discussion_r1909323342
