Looks good. Please file a follow-on issue to remove the defaults.
--Sean
On 11/16/18 9:35 AM, Weijun Wang wrote:
Please take a review at
https://cr.openjdk.java.net/~weijun/8212003/webrev.00/
Here, a warning is added when -keyalg is not specified, and some informational
text output that were only available in verbose mode is now always printed.
Below are the exact output you will see after this change. Please note that we
can only create DES SecretKey in JCEKS keystore. Also, depending on whether the
subject is provided through -dname or entered interactively, the warning on the
default -keyalg option appears in different places. In the interactive mode, it
appears at the beginning so that user can exit earlier if the default -keyalg
value is not preferred.
$ keytool -genseckey -alias a -keystore jceks -storepass changeit -storetype
jceks -keypass changeit
Generated 56-bit DES secret key
Warning:
No -keyalg option. The default key algorithm (DES) is a legacy algorithm and is
no longer recommended. In a subsequent release of the JDK, the default will be
removed and the -keyalg option must be specified.
The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12
which is an industry standard format using "keytool -importkeystore -srckeystore
jceks -destkeystore jceks -deststoretype pkcs12".
c $ keytool -genkeypair -alias c -keystore /tmp/p12 -storepass changeit
Warning:
No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is
no longer recommended. In a subsequent release of the JDK, the default will be
removed and the -keyalg option must be specified.
What is your first and last name?
[Unknown]: Duke
What is the name of your organizational unit?
[Unknown]: Java
What is the name of your organization?
[Unknown]: Oracle
What is the name of your City or Locality?
[Unknown]: Santa Clara
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Duke, OU=Java, O=Oracle, L=Santa Clara, ST=CA, C=US correct?
[no]: yes
Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA)
with a validity of 90 days
for: CN=Duke, OU=Java, O=Oracle, L=Santa Clara, ST=CA, C=US
c $ keytool -genkeypair -alias d -keystore /tmp/p12 -storepass changeit -dname
CN=A
Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA)
with a validity of 90 days
for: CN=A
Warning:
No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is
no longer recommended. In a subsequent release of the JDK, the default will be
removed and the -keyalg option must be specified.
Thanks
Max
