mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-27 14:54:52 +02:00
8172404: Tools should warn if weak algorithms are used before restricting them
Reviewed-by: mullan, weijun
This commit is contained in:
Hai-May Chao
Weijun Wang
parent
9735678c26
commit
f04a7e5cb4
14 changed files with 713 additions and 228 deletions
|
|
@ -194,6 +194,10 @@ public final class Main {
|
|||
new DisabledAlgorithmConstraints(
|
||||
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
|
||||
|
||||
private static final DisabledAlgorithmConstraints LEGACY_CHECK =
|
||||
new DisabledAlgorithmConstraints(
|
||||
DisabledAlgorithmConstraints.PROPERTY_SECURITY_LEGACY_ALGS);
|
||||
|
||||
private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
|
||||
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
|
||||
private boolean isPasswordlessKeyStore = false;
|
||||
|
|
@ -3320,9 +3324,13 @@ public final class Main {
|
|||
|
||||
private String withWeak(String alg) {
|
||||
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
|
||||
return alg;
|
||||
if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
|
||||
return alg;
|
||||
} else {
|
||||
return String.format(rb.getString("with.weak"), alg);
|
||||
}
|
||||
} else {
|
||||
return String.format(rb.getString("with.weak"), alg);
|
||||
return String.format(rb.getString("with.disabled"), alg);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -3341,13 +3349,17 @@ public final class Main {
|
|||
int kLen = KeyUtil.getKeySize(key);
|
||||
String displayAlg = fullDisplayAlgName(key);
|
||||
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
if (kLen >= 0) {
|
||||
return String.format(rb.getString("key.bit"), kLen, displayAlg);
|
||||
if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
if (kLen >= 0) {
|
||||
return String.format(rb.getString("key.bit"), kLen, displayAlg);
|
||||
} else {
|
||||
return String.format(rb.getString("unknown.size.1"), displayAlg);
|
||||
}
|
||||
} else {
|
||||
return String.format(rb.getString("unknown.size.1"), displayAlg);
|
||||
return String.format(rb.getString("key.bit.weak"), kLen, displayAlg);
|
||||
}
|
||||
} else {
|
||||
return String.format(rb.getString("key.bit.weak"), kLen, displayAlg);
|
||||
return String.format(rb.getString("key.bit.disabled"), kLen, displayAlg);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -4651,18 +4663,28 @@ public final class Main {
|
|||
}
|
||||
|
||||
private void checkWeak(String label, String sigAlg, Key key) {
|
||||
|
||||
if (sigAlg != null && !DISABLED_CHECK.permits(
|
||||
SIG_PRIMITIVE_SET, sigAlg, null)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.sigalg.risk"), label, sigAlg));
|
||||
if (sigAlg != null) {
|
||||
if (!DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, sigAlg, null)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.sigalg.disabled"), label, sigAlg));
|
||||
} else if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, sigAlg, null)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.sigalg.weak"), label, sigAlg));
|
||||
}
|
||||
}
|
||||
if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.risk"),
|
||||
label,
|
||||
|
||||
if (key != null) {
|
||||
if (!DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.disabled"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
|
||||
KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
|
||||
} else if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("whose.key.weak"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -459,8 +459,10 @@ public class Resources extends java.util.ListResourceBundle {
|
|||
{"alias.in.cacerts", "Issuer <%s> in cacerts"},
|
||||
{"alias.in.keystore", "Issuer <%s>"},
|
||||
{"with.weak", "%s (weak)"},
|
||||
{"with.disabled", "%s (disabled)"},
|
||||
{"key.bit", "%1$d-bit %2$s key"},
|
||||
{"key.bit.weak", "%1$d-bit %2$s key (weak)"},
|
||||
{"key.bit.disabled", "%1$d-bit %2$s key (disabled)"},
|
||||
{"unknown.size.1", "%s key of unknown size"},
|
||||
{".PATTERN.printX509Cert.with.weak",
|
||||
"Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t SHA1: {5}\n\t SHA256: {6}\nSignature algorithm name: {7}\nSubject Public Key Algorithm: {8}\nVersion: {9}"},
|
||||
|
|
@ -468,8 +470,10 @@ public class Resources extends java.util.ListResourceBundle {
|
|||
"PKCS #10 Certificate Request (Version 1.0)\n" +
|
||||
"Subject: %1$s\nFormat: %2$s\nPublic Key: %3$s\nSignature algorithm: %4$s\n"},
|
||||
{"verified.by.s.in.s.weak", "Verified by %1$s in %2$s with a %3$s"},
|
||||
{"whose.sigalg.risk", "%1$s uses the %2$s signature algorithm which is considered a security risk."},
|
||||
{"whose.key.risk", "%1$s uses a %2$s which is considered a security risk."},
|
||||
{"whose.sigalg.disabled", "%1$s uses the %2$s signature algorithm which is considered a security risk and is disabled."},
|
||||
{"whose.sigalg.weak", "%1$s uses the %2$s signature algorithm which is considered a security risk. This algorithm will be disabled in a future update."},
|
||||
{"whose.key.disabled", "%1$s uses a %2$s which is considered a security risk and is disabled."},
|
||||
{"whose.key.weak", "%1$s uses a %2$s which is considered a security risk. This key size will be disabled in a future update."},
|
||||
{"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
|
||||
{"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
|
||||
{"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
|
||||
|
|
|
|||
|
|
@ -63,6 +63,10 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
|
|||
public static final String PROPERTY_CERTPATH_DISABLED_ALGS =
|
||||
"jdk.certpath.disabledAlgorithms";
|
||||
|
||||
// Legacy algorithm security property for certificate path and jar
|
||||
public static final String PROPERTY_SECURITY_LEGACY_ALGS =
|
||||
"jdk.security.legacyAlgorithms";
|
||||
|
||||
// Disabled algorithm security property for TLS
|
||||
public static final String PROPERTY_TLS_DISABLED_ALGS =
|
||||
"jdk.tls.disabledAlgorithms";
|
||||
|
|
@ -948,4 +952,3 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue