On Tue, 3 May 2022 14:54:05 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> Please review these changes to add DES/3DES/MD5 to >> `jdk.security.legacyAlgorithms` security property, and to add the legacy >> algorithm constraint checking to `keytool` commands that are associated with >> secret key entries stored in the keystore. These `keytool` commands are >> -genseckey, -importpass, -list, and -importkeystore. As a result, `keytool` >> will be able to generate warnings when it detects that the secret key based >> algorithms and PBE based Mac and cipher algorithms are weak. Also removes >> the "This algorithm will be disabled in a future update.” from the existing >> warnings for the asymmetric keys/certificates. >> Will also file a CSR. > > Hai-May Chao has updated the pull request incrementally with one additional > commit since the last revision: > > Update per review comments I found a keytool bug. It prints out "PBEWithMD5AndDES" no matter what key algorithm is used in `keytool -importpass`. Together with the code change here, it means a warning will always be shown even if we choose a strong algorithm. https://bugs.openjdk.java.net/browse/JDK-8286069 filed. ------------- PR: https://git.openjdk.java.net/jdk/pull/8300