JDK-8176087 : Release Note: keytool now prints warnings when reading or generating certificates/certificate requests/CRLs using weak algorithms
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u171,8u151,9
  • Priority: P2
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2017-03-02
  • Updated: 2017-12-15
  • Resolved: 2017-04-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u171Resolved 8u151Resolved 9Resolved
Description
With one exception, keytool will always print a warning if the certificate, certificate request, or CRL it is parsing, verifying, or generating is using a weak algorithm or key. When a certificate is from an existing `TrustedCertificateEntry`, either in the keystore directly operated on or in the `cacerts` keystore when the `-trustcacerts` option is specified for the `-importcert` command, keytool will not print a warning if it is signed with a weak signature algorithm. For example, suppose the file `cert` contains a CA certificate signed with a weak signature algorithm, `keytool -printcert -file cert` and `keytool -importcert -file cert -alias ca -keystore ks` will print out a warning, but after the last command imports it into the keystore, `keytool -list -alias ca -keystore ks` will not show a warning anymore.

An algorithm or a key is weak if it matches the value of the `jdk.certpath.disabledAlgorithms` security property defined in the `conf/security/java.security` file.
Comments
The "exception" part is for JDK-8177569.
08-08-2017