archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 14:24:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8172404: Tools should warn if weak algorithms are used before restricting them

Browse source 
Reviewed-by: mullan, weijun
This commit is contained in:
Hai-May Chao 2020-04-17 20:11:39 +08:00 committed by Weijun Wang
parent 9735678c26
commit f04a7e5cb4
14 changed files with 713 additions and 228 deletions
Download patch file Download diff file Expand all files Collapse all files

54
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -194,6 +194,10 @@ public final class Main {
new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
private static final DisabledAlgorithmConstraints LEGACY_CHECK =
new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_SECURITY_LEGACY_ALGS);
private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
private boolean isPasswordlessKeyStore = false;
@ -3320,9 +3324,13 @@ public final class Main {
private String withWeak(String alg) {
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
return alg;
if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, alg, null)) {
return alg;
} else {
return String.format(rb.getString("with.weak"), alg);
}
} else {
return String.format(rb.getString("with.weak"), alg);
return String.format(rb.getString("with.disabled"), alg);
}
}
@ -3341,13 +3349,17 @@ public final class Main {
int kLen = KeyUtil.getKeySize(key);
String displayAlg = fullDisplayAlgName(key);
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
if (kLen >= 0) {
return String.format(rb.getString("key.bit"), kLen, displayAlg);
if (LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
if (kLen >= 0) {
return String.format(rb.getString("key.bit"), kLen, displayAlg);
} else {
return String.format(rb.getString("unknown.size.1"), displayAlg);
}
} else {
return String.format(rb.getString("unknown.size.1"), displayAlg);
return String.format(rb.getString("key.bit.weak"), kLen, displayAlg);
}
} else {
return String.format(rb.getString("key.bit.weak"), kLen, displayAlg);
return String.format(rb.getString("key.bit.disabled"), kLen, displayAlg);
}
}
@ -4651,18 +4663,28 @@ public final class Main {
}
private void checkWeak(String label, String sigAlg, Key key) {
if (sigAlg != null && !DISABLED_CHECK.permits(
SIG_PRIMITIVE_SET, sigAlg, null)) {
weakWarnings.add(String.format(
rb.getString("whose.sigalg.risk"), label, sigAlg));
if (sigAlg != null) {
if (!DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, sigAlg, null)) {
weakWarnings.add(String.format(
rb.getString("whose.sigalg.disabled"), label, sigAlg));
} else if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, sigAlg, null)) {
weakWarnings.add(String.format(
rb.getString("whose.sigalg.weak"), label, sigAlg));
}
}
if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
weakWarnings.add(String.format(
rb.getString("whose.key.risk"),
label,
if (key != null) {
if (!DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
weakWarnings.add(String.format(
rb.getString("whose.key.disabled"), label,
String.format(rb.getString("key.bit"),
KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
} else if (!LEGACY_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
weakWarnings.add(String.format(
rb.getString("whose.key.weak"), label,
String.format(rb.getString("key.bit"),
KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
}
}
}