8212003: Deprecating the default keytool -keyalg option

Reviewed-by: mullan, xuelei

src/java.base/share/classes/sun/security/tools/keytool/Main.java

@@ -1123,12 +1123,16 @@ public final class Main {
         } else if (command == GENKEYPAIR) {
             if (keyAlgName == null) {
                 keyAlgName = "DSA";
+                weakWarnings.add(String.format(rb.getString(
+                        "keyalg.option.1.missing.warning"), keyAlgName));
             }
             doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
             kssave = true;
         } else if (command == GENSECKEY) {
             if (keyAlgName == null) {
                 keyAlgName = "DES";
+                weakWarnings.add(String.format(rb.getString(
+                        "keyalg.option.1.missing.warning"), keyAlgName));
             }
             doGenSecretKey(alias, keyAlgName, keysize);
             kssave = true;
@@ -1758,14 +1762,12 @@ public final class Main {
             keygen.init(keysize);
             secKey = keygen.generateKey();
 
-            if (verbose) {
             MessageFormat form = new MessageFormat(rb.getString
                 ("Generated.keysize.bit.keyAlgName.secret.key"));
             Object[] source = {keysize,
                                 secKey.getAlgorithm()};
             System.err.println(form.format(source));
         }
-        }
 
         if (keyPass == null) {
             keyPass = promptForKeyPass(alias, null, storePass);
@@ -1841,6 +1843,7 @@ public final class Main {
         // If DN is provided, parse it. Otherwise, prompt the user for it.
         X500Name x500Name;
         if (dname == null) {
+            printWeakWarnings(true);
             x500Name = getX500Name();
         } else {
             x500Name = new X500Name(dname);
@@ -1866,7 +1869,6 @@ public final class Main {
         chain[0] = keypair.getSelfCertificate(
                 x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
 
-        if (verbose) {
         MessageFormat form = new MessageFormat(rb.getString
             ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
         Object[] source = {keysize,
@@ -1875,7 +1877,6 @@ public final class Main {
                             validity,
                             x500Name};
         System.err.println(form.format(source));
-        }
 
         if (keyPass == null) {
             keyPass = promptForKeyPass(alias, null, storePass);

src/java.base/share/classes/sun/security/tools/keytool/Resources.java

@@ -481,6 +481,7 @@ public class Resources extends java.util.ListResourceBundle {
         {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
         {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
         {"importing.keystore.status", "Importing keystore %1$s to %2$s..."},
+        {"keyalg.option.1.missing.warning", "No -keyalg option. The default key algorithm (%s) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified."},
     };
 
 

test/jdk/sun/security/tools/keytool/DeprecateKeyalg.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.process.OutputAnalyzer;
+
+/**
+ * @test
+ * @bug 8212003
+ * @summary Deprecating the default keytool -keyalg option
+ * @library /test/lib
+ */
+
+public class DeprecateKeyalg {
+
+    private static final String COMMON = "-keystore ks -storetype jceks "
+            + "-storepass changeit -keypass changeit";
+
+    public static void main(String[] args) throws Throwable {
+
+        kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
+                .shouldContain("Generating")
+                .shouldNotContain("-keyalg option must be specified");
+
+        kt("-genkeypair -alias b -dname CN=B")
+                .shouldContain("Generating")
+                .shouldContain("default key algorithm (DSA)")
+                .shouldContain("-keyalg option must be specified");
+
+        kt("-genseckey -keyalg DES -alias c")
+                .shouldContain("Generated")
+                .shouldNotContain("-keyalg option must be specified");
+
+        kt("-genseckey -alias d")
+                .shouldContain("Generated")
+                .shouldContain("default key algorithm (DES)")
+                .shouldContain("-keyalg option must be specified");
+    }
+
+    private static OutputAnalyzer kt(String cmd) throws Throwable {
+        return SecurityTools.keytool(COMMON + " " + cmd)
+                .shouldHaveExitValue(0);
+    }
+}

test/jdk/sun/security/tools/keytool/KeyToolTest.java

@@ -638,12 +638,12 @@ public class KeyToolTest {
                 "-genkeypair -alias p1 -dname CN=olala");
         // when specify keypass, make sure keypass==storepass...
         testOK("changeit\n", "-keystore x.p12 -keypass changeit " +
-                "-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
+                "-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
         assertTrue(err.indexOf("Warning") == -1,
                 "PKCS12 silent when keypass == storepass");
         // otherwise, print a warning
         testOK("changeit\n", "-keystore x.p12 -keypass another" +
-                " -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
+                " -storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
         assertTrue(err.indexOf("Warning") != -1,
                 "PKCS12 warning when keypass != storepass");
         // no -keypasswd for PKCS12
@@ -663,12 +663,12 @@ public class KeyToolTest {
                 "-genkeypair -alias p1 -dname CN=olala");
         // when specify keypass, make sure keypass==storepass...
         testOK("", "-storepass changeit -keystore x.p12 -keypass changeit " +
-                "-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
+                "-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
         assertTrue(err.indexOf("Warning") == -1,
                 "PKCS12 silent when keypass == storepass");
         // otherwise, print a warning
         testOK("", "-storepass changeit -keystore x.p12 -keypass another " +
-                "-storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
+                "-storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
         assertTrue(err.indexOf("Warning") != -1,
                 "PKCS12 warning when keypass != storepass");
 

test/jdk/sun/security/tools/keytool/WeakAlg.java

@@ -158,7 +158,7 @@ public class WeakAlg {
         rm("ks");
         rm("ks2");
 
-        kt("-genkeypair -alias a -dname CN=A")
+        kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
                 .shouldNotContain("Warning:");
         kt("-list")
                 .shouldNotContain("Warning:");