On Tue, 19 Apr 2022 16:08:28 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> Please review these changes to add DES/3DES/MD5 to > `jdk.security.legacyAlgorithms` security property, and to add the legacy > algorithm constraint checking to `keytool` commands that are associated with > secret key entries stored in the keystore. These `keytool` commands are > -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` > will be able to generate warnings when it detects that the secret key based > algorithms and PBE based Mac and cipher algorithms are weak. Also removes the > "This algorithm will be disabled in a future update.” from the existing > warnings for the asymmetric keys/certificates. > Will also file a CSR. Changes requested by mullan (Reviewer). src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876: > 1874: > 1875: CertPathConstraintsParameters cpcp = > 1876: new CertPathConstraintsParameters(secKey, null, null, > null); Using `CertPathConstraintsParameters` is a little odd here, even though it works. I suggest creating a local `SecretKeyConstraintsParameters` subclass with a ctor with just the parameters you need and overriding the methods as needed. And changing `checkWeakConstraint` to take a `ConstraintsParameters` instead of `CertPathConstraintsParameters`. src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1876: > 1874: > 1875: CertPathConstraintsParameters cpcp = > 1876: new CertPathConstraintsParameters(secKey, null, null, > null); Using `CertPathConstraintsParameters` is a little odd here, even though it works. I suggest creating a local `SecretKeyConstraintsParameters` subclass with a ctor with just the parameters you need and overriding the methods as needed. And changing `checkWeakConstraints` to take a `ConstraintsParameters` instead of `CertPathConstraintsParameters`. test/jdk/sun/security/tools/keytool/ReadJar.java line 162: > 160: .shouldContain("Certificate #2:") > 161: .shouldContain("Signer #2:") > 162: .shouldNotMatch("The certificate #.* of signer #.*" + > "uses the SHA1withRSA.*will be disabled") You probably don't need to check for a non-occurrence here since the message has been changed and can no longer occur. ------------- PR: https://git.openjdk.java.net/jdk/pull/8300