JDK-8238640 : Tools should warn if weak algorithms are used before restricting them
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 7-pool,8-pool,11-pool,14-pool,15
  • Submitted: 2020-02-06
  • Updated: 2020-12-23
  • Resolved: 2020-04-12
Related Reports
CSR :  
JDK-8172404 - Tools should warn if weak algorithms are used before restricting them
CSR :  
JDK-8258893 - Tools should warn if weak algorithms are used before restricting them
CSR :  
JDK-8246690 - Tools should warn if weak algorithms are used before restricting them
Description
Summary
-------

Add "jdk.security.legacyAlgorithms" security property to the `java.security` property file. The keytool and jarsigner tools will be enhanced to enforce the new property and to print out warnings when the legacy algorithms are used.This enables users to plan transitioning away from them.

Problem
-------

The JDK currently rejects some weak algorithms (Ex: MD5) in a signed jar or a certificate using the "jdk.jar.disabledAlgorithms" and "jdk.certpath.disabledAlgorithms" security properties. The keytool and jarsigner tools currently enforce these properties and show proper warnings when a signed jar or certificate is using any of these disabled algorithms.
 
However, it would be useful to provide warnings on legacy algorithms that are becoming weak, so that users could begin to transition away from them, before they are actually disabled.

The first round of legacy algorithms include SHA1 and RSA/DSA keys less than 2048-bits.

Solution
--------

Add new security property describing the weak algorithms and the minimum RSA/DSA key size requirement, and let jarsigner and keytool show warnings accordingly when either case is being detected.

Specification
-------------

A new security property is introduced with the default values:

    #
    # Legacy algorithms for certification path (CertPath) processing and
    # signed JAR files.
    #
    # In some environments, a certain algorithm or key length may be undesirable
    # but is not yet disabled.
    #
    # Tools such as keytool and jarsigner may emit warnings when these legacy
    # algorithms are used. See the man pages for those tools for more information.
    #
    # The syntax is the same as the "jdk.certpath.disabledAlgorithms" and
    # "jdk.jar.disabledAlgorithms" security properties.
    #
    # Note: This property is currently used by the JDK Reference
    # implementation. It is not guaranteed to be examined and used by other
    # implementations.
 
    jdk.security.legacyAlgorithms=SHA1, \
        RSA keySize < 2048, DSA keySize < 2048

Notes:

keytool will use "jdk.certpath.disabledAlgorithms" and "jdk.security.legacyAlgorithms" security properties to decide which algorithm or key size is considered a security risk. Previously it used "jdk.certpath.disabledAlgorithms".

The warning message for the legacy algorithm found in "jdk.security.legacyAlgorithms" will be emitted as follows (using `keytool -gencert` as an example):

    The generated certificate uses the SHA1withRSA signature algorithm which is
    considered a security risk. This algorithm will be disabled in a future update.

For the disabled algorithm found in "jdk.certpath.disabledAlgorithms", the warning message will be:

    The generated certificate uses the MD5withRSA signature algorithm which is
     considered a security risk and is disabled.

Signing a JAR file by jarsigner tool will use "jdk.jar.disabledAlgorithms" and "jdk.security.legacyAlgorithms" to decide which algorithm or key size is considered a security risk. Previously it used "jdk.jar.disabledAlgorithms".

The warning message for the legacy algorithm found in "jdk.security.legacyAlgorithms" will be emitted as follows:

    The SHA1 algorithm specified for the -digestalg option is considered a security
    risk. This algorithm will be disabled in a future update.

For the disabled algorithm found in "jdk.jar.disabledAlgorithms", the warning message will be:

    The MD5 algorithm specified for the -digestalg option is considered a security
    risk and is disabled.

If jarsigner is verifying a signed JAR using an algorithm that matches "jdk.security.legacyAlgorithms" but not "jdk.jar.disabledAlgorithms", it will be treated as signed, but one of the following informational warnings will be shown:

    The SHA1 digest algorithm is considered a security risk. This algorithm will
    be disabled in a future update.

    The SHA1withRSA signature algorithm is considered a security risk. This
    algorithm will be disabled in a future update.

When displaying algorithm information such as for verbose output in `jarsigner -verify`, `keytool -printcert` and `-list` commands, the "(weak)" is used for the legacy algorithms and "(disabled)" is used for the disabled algorithms.

For example, the ���Signed by��� messages for jarsigner -verify:

    -Signed by ���CN=test1"
    Digest algorithm: SHA1 (weak)
    Signature algorithm: SHA1withRSA (weak), 1024-bit key (weak)

    -Signed by ���CN=test2"
    Digest algorithm: MD5 (disabled)
    Signature algorithm: MD5withRSA (disabled), 512-bit key (disabled)

For signing and verifying a JAR using the `-strict` option, the exit code will be zero when the algorithm or key size is found in the "jdk.security.legacyAlgorithms" for informational warnings.
Comments
Moving to Approved.
12-04-2020
Major changes made to the CSR since it was initially proposed are: - Change from two security properties to one security property named jdk.security.legacyAlgorithms in the java.security file. - Provide distinct warning messages for disabled algorithms and legacy algorithms. The warning messages are based on the discussion from the Crypto roadmap team.
10-04-2020
Joe, thanks for your review! Updated the Summary section with additional info for the new properties. Regarding the rephrasing the message, which will be issued during jarsigner -verify. The JAR will be verified if there is no other errors. Change as suggested. Same change also applies to the following message related to signature algorithm: The % signature algorithm used is currently considered too weak for signing. We're planing to document the changes as a result of the new properties. Opened JDK-8240552.
06-03-2020
[~darcy] Regarding the crypto roadmap, it is related and we would like to backport it. Once we have more information on what releases we would like to target we will add an entry to the roadmap. We want to get this into 15 first to allow it to bake for a bit since it is a non-trivial enhancement.
06-03-2020
Moving to Provisional. A few comments/question before the request is Finalized for the second phase of review? To the Summary section, please add what effect the new properties and intended to have. What coordination is there between these algorithm lists and the crypto roadmap? https://java.com/en/jre-jdk-cryptoroadmap.html I don't see the key constraints listed above listed under the planned changes on the roadmap. I would recommend rephrasing "The %s digest algorithm used is considered a security risk." to something like "The %s digest algorithm used is currently considered too weak for signing." Is there somewhere the new security properties can be documented in the JDK?
06-03-2020