Bug ID: JDK-8177569 keytool should not warn if signature algorithm used in cacerts is weak

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 9

Priority: P2
Status: Closed
Resolution: Fixed

Submitted: 2017-03-25
Updated: 2018-02-08
Resolved: 2017-03-29

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 10	JDK 7	JDK 8	JDK 9	Other
10Fixed	7u171Fixed	8u151Fixed	9 b164Fixed	openjdk7uFixed

Currently keytool warns about weak signature algorithms used by a certificate. However, if that certificate is in cacerts it should not be an issue. In fact, the certificate is pre-validated and we don't check the signature at all in Java.

Fix request approved. This fix is needed to avoid false warnings being generated by keytool on root certificates in the cacerts keystore.

29-03-2017

Fix request: We don't check for root CA's signature algorithm in CertPath API and the keytool warnings should be consistent with it. Since the warnings are newly added into JDK 9, it's better to be correct from the beginning to avoid any confusion. The fix is straight forward and focused on the problem itself and has a low risk. A new test case is also added. The proposed fix is in code review now at http://cr.openjdk.java.net/~weijun/8177569/webrev.00/.

27-03-2017

Relates :	JDK-8171319 - keytool should print out warnings when reading or generating cert/cert req using weak algorithms
Relates :	JDK-8181737 - Support secret keys and trusted certs in PKCS12 keystore
Relates :	JDK-8177760 - keytool can use -trustcacerts for commands other than -importcert