On Fri, 13 Dec 2024 14:18:10 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> Traditionally, an asymmetric key has a key size. The size is displayed by > `keytool` and `jarsigner`, both in informational output and weak-key > warnings. However, for the recently added ML-DSA algorithm, key size is not > defined. > > Thus when an ML-DSA key is created, `keytool` shows > > Generating -1 bit ML-DSA-65 key pair... > > When the entry is being displayed by `keytool -list -v`, it shows > > Subject Public Key Algorithm: -1-bit ML-DSA-65 key > > If the algorithm is disabled, `keytool -list` shows > > <x> uses a -1-bit ML-DSA-65 key which is considered a security risk... > > Furthermore, if a JAR file is signed by ML-DSA, `jarsigner -verify` also shows > > Signature algorithm: ML-DSA-65, unknown size > > or when the algorithm is disabled, it shows > > Signature algorithm: ML-DSA-65, -1-bit key (disabled) > The ML-DSA-65 signing key has a keysize of -1 which is considered a security > risk. > > > With this code change, a key can either has a key size, or characterized by a > `NamedParameterSpec`, and the display chooses one of them. > > One special case is EC keys, which have both a keysize and a > `NamedParameterSpec`. Both are displayed. This pull request has now been integrated. Changeset: fa5ff82e Author: Weijun Wang <wei...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/fa5ff82eb3f0f2df74acd117509bac6e3c634a3f Stats: 231 lines in 12 files changed: 71 ins; 69 del; 91 mod 8342062: Reformat keytool and jarsigner output for keys with a named parameter set Reviewed-by: mullan ------------- PR: https://git.openjdk.org/jdk/pull/22735
