On Fri, 29 Apr 2022 17:06:28 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> Please review these changes to add DES/3DES/MD5 to >> `jdk.security.legacyAlgorithms` security property, and to add the legacy >> algorithm constraint checking to `keytool` commands that are associated with >> secret key entries stored in the keystore. These `keytool` commands are >> -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` >> will be able to generate warnings when it detects that the secret key based >> algorithms and PBE based Mac and cipher algorithms are weak. Also removes >> the "This algorithm will be disabled in a future update.” from the existing >> warnings for the asymmetric keys/certificates. >> Will also file a CSR. > > Hai-May Chao has updated the pull request incrementally with one additional > commit since the last revision: > > Removed RC2 changes src/java.base/share/conf/security/java.security line 644: > 642: # > 643: # In some environments, a certain algorithm or key length may be > undesirable > 644: # but is not yet disabled. I would also remove the words "but is not yet disabled." An algorithm may be disabled at different times for different components, such as TLS or Kerberos, so it isn't always a yes or no answer. Also, if a disabled algorithm is re-enabled (by modifying the security properties), we still want `keytool` or `jarsigner` to show warnings. ------------- PR: https://git.openjdk.java.net/jdk/pull/8300