Bug ID: JDK-8172404 Tools should warn if weak algorithms are used before restricting them

JDK-8172404 : Tools should warn if weak algorithms are used before restricting them

Type: Enhancement
Component: security-libs
Sub-Component: java.security
Affected Version: 7,8,11,15

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2017-01-09
Updated: 2023-12-04
Resolved: 2020-04-17

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 13	JDK 15	JDK 7	JDK 8	Other
11.0.9-oracleFixed	13.0.9Fixed	15 b20Fixed	7u281Fixed	8u271Fixed	openjdk8u292Fixed

Related Reports

CSR :	JDK-8238640 - Tools should warn if weak algorithms are used before restricting them
Relates :	JDK-8243493 - Tools shouldn't warn for weak algorithms in cacerts
Relates :	JDK-8245151 - jarsigner should not raise duplicate warnings on verification
Relates :	JDK-8263817 - java.util.MissingResourceException if add cert with GOST key in cacerts
Relates :	JDK-8263664 - Remove root certificates with 1024-bit keys
Relates :	JDK-8260286 - Manual Test "ws/open/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java" fails
Relates :	JDK-8255402 - Warnings generated for JDK cacerts keystore
Relates :	JDK-8240552 - Update jarsigner and keytool man pages for the legacy algorithms
Relates :	JDK-8245665 - Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA

Sub Tasks

JDK-8244286 :

Release Note: Tools Warn If Weak Algorithms Are Used - Closed

Description

It would be useful to also start warning users that SHA-1 and 1024-bit RSA/DSA certificates are a security risk *before* we actually start disabling them.

We add a new jdk.security.legacyAlgorithms security property to the java.security property file. keytool and jarsigner tools will be enhanced to enforce the new property and to print out informational warnings when the legacy algorithms are used. This enables users to plan transitioning away from them. This would also allow a user to edit these properties independently so that you could still get warnings from tools even if the runtime allowed the algorithm.

Comments

Fix request (13u) To fix depends on JDK-8233228 so the JDK-8233228 needs to be backported to jdk13u first. See discussion for JDK-8233228 https://github.com/openjdk/jdk13u-dev/pull/32

26-11-2020

Fix request (11u) -- will label after testing completed. I would like to downport this for parity with 11.0.9-oracle. Does not apply clean: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-June/003238.html The CSR mentions 11. So I added it as CSR to the backport issue. Is that ok?

05-06-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/6611a79f2ddf User: weijun Date: 2020-04-17 12:12:08 +0000

17-04-2020