JDK-8177569 : keytool should not warn if signature algorithm used in cacerts is weak
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2017-03-25
  • Updated: 2018-02-08
  • Resolved: 2017-03-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10 JDK 7 JDK 8 JDK 9 Other
10Fixed 7u171Fixed 8u151Fixed 9 b164Fixed openjdk7uFixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
Currently keytool warns about weak signature algorithms used by a certificate. However, if that certificate is in cacerts it should not be an issue. In fact, the certificate is pre-validated and we don't check the signature at all in Java.
Comments
Fix request approved. This fix is needed to avoid false warnings being generated by keytool on root certificates in the cacerts keystore.
29-03-2017

Fix request: We don't check for root CA's signature algorithm in CertPath API and the keytool warnings should be consistent with it. Since the warnings are newly added into JDK 9, it's better to be correct from the beginning to avoid any confusion. The fix is straight forward and focused on the problem itself and has a low risk. A new test case is also added. The proposed fix is in code review now at http://cr.openjdk.java.net/~weijun/8177569/webrev.00/.
27-03-2017