An update webrev is at http://cr.openjdk.java.net/~weijun/8171319/webrev.01/
The major change is that every risk warning has a owner now, i.e. instead of just saying "MD5withRSA is weak", it prints out whose algorithm is weak. For example:
The generated CRL uses the MD5withRSA signature algorithm which is considered a security risk.
Please take a look at the output of the newly added regression test at http://cr.openjdk.java.net/~weijun/8171319/webrev.01/examples.txt Thanks Max On 01/23/2017 06:02 PM, Weijun Wang wrote:
Hi All Please take a review at http://cr.openjdk.java.net/~weijun/8171319/webrev.00/ Warnings are printed to System.err when weak algorithms/keysizes are detected during the execution, this includes input, output, and any certs used. The detection applies to many keytool functions: - generation of certificate, certificate request, CRL - reading (printing, listing, exporting) of above - importing of certificate or certificates reply The behavior of most functions remains unchanged. The only exception is "keytool -importcert", where the user must reply to a prompt if weak algorithms/keysizes are detected, unless -noprompt is specified on the command line. Warnings are either printed at the end, or before a prompt. If there are multiple weak points, multiple warnings will be printed. The detection is based on the security property jdk.certpath.disabledAlgorithms. For example: $ keytool -genkeypair -alias a -dname CN=a -keyalg RSA -sigalg MD5withRSA Warning: The MD5withRSA signature algorithm is considered a security risk. $ keytool -keystore ks -storepass changeit -keypass changeit -list Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries b, Jan 23, 2017, PrivateKeyEntry, Certificate fingerprint (SHA-256): D8:46:B7:0B:8B:97:C2:DE:A2:17:62:01:27:82:2B:CE:B1:9B:12:0B:24:D5:47:BF:BD:54:EE:8A:71:29:2B:CE a, Jan 23, 2017, PrivateKeyEntry, Certificate fingerprint (SHA-256): 66:70:DF:11:14:A1:96:58:92:F5:6A:10:09:B1:2F:CC:1C:CC:2D:55:47:1D:EE:74:75:AA:26:63:E4:9D:EA:83 Warning: <b>'s 512-bit RSA key is considered a security risk. <a>'s MD5withRSA signature algorithm is considered a security risk. $ keytool -importcert -alias a -file b+a.certs Warning: Reply #2 of 2's 512-bit RSA key is considered a security risk. Install reply anyway? [no]:no Certificate reply was not installed in keystore Thanks Max