8286907: keytool should warn about weak PBE algorithms

Reviewed-by: mullan, weijun
2025-08-26 14:24:46 +02:00 · 2023-02-02 21:17:08 +00:00 · 2023-02-02 21:17:08 +00:00 · b00b70c240
commit b00b70c240
parent ee0f5b5ed0
2 changed files with 37 additions and 3 deletions
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -1837,6 +1837,11 @@ public final class Main {
                useDefaultPBEAlgorithm = false;
            }

+            SecretKeyConstraintsParameters skcp =
+                    new SecretKeyConstraintsParameters(secKey);
+            checkWeakConstraint(rb.getString("the.generated.secretkey"),
+                    keyAlgName, skcp);
+
            if (verbose) {
                MessageFormat form = new MessageFormat(rb.getString(
                    "Generated.keyAlgName.secret.key"));
@ -5068,6 +5073,16 @@ public final class Main {
        }
    }

+    private void checkWeakConstraint(String label, String keyAlg,
+            SecretKeyConstraintsParameters skcp) {
+        try {
+            LEGACY_CHECK.permits(keyAlg, skcp, false);
+        } catch (CertPathValidatorException e) {
+            weakWarnings.add(String.format(
+                    rb.getString("key.algorithm.weak"), label, keyAlg));
+        }
+    }
+
    private void checkWeak(String label, CRL crl, Key key) {
        if (crl instanceof X509CRLImpl impl) {
            checkWeak(label, impl.getSigAlgName(), key);