Skip to content

Commit

Permalink
8286907: keytool should warn about weak PBE algorithms
Browse files Browse the repository at this point in the history
Reviewed-by: mullan, weijun
  • Loading branch information
Hai-May Chao committed Feb 2, 2023
1 parent ee0f5b5 commit b00b70c
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 3 deletions.
17 changes: 16 additions & 1 deletion src/java.base/share/classes/sun/security/tools/keytool/Main.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -1837,6 +1837,11 @@ private void doGenSecretKey(String alias, String keyAlgName,
useDefaultPBEAlgorithm = false;
}

SecretKeyConstraintsParameters skcp =
new SecretKeyConstraintsParameters(secKey);
checkWeakConstraint(rb.getString("the.generated.secretkey"),
keyAlgName, skcp);

if (verbose) {
MessageFormat form = new MessageFormat(rb.getString(
"Generated.keyAlgName.secret.key"));
Expand Down Expand Up @@ -5068,6 +5073,16 @@ private void checkWeakConstraint(String label, CRL crl, Key key,
}
}

private void checkWeakConstraint(String label, String keyAlg,
SecretKeyConstraintsParameters skcp) {
try {
LEGACY_CHECK.permits(keyAlg, skcp, false);
} catch (CertPathValidatorException e) {
weakWarnings.add(String.format(
rb.getString("key.algorithm.weak"), label, keyAlg));
}
}

private void checkWeak(String label, CRL crl, Key key) {
if (crl instanceof X509CRLImpl impl) {
checkWeak(label, impl.getSigAlgName(), key);
Expand Down
23 changes: 21 additions & 2 deletions test/jdk/sun/security/tools/keytool/WeakSecretKeyTest.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -23,7 +23,7 @@

/*
* @test
* @bug 8255552 8286090
* @bug 8255552 8286090 8286907
* @summary Test keytool commands associated with secret key entries which use weak algorithms
* @library /test/lib
*/
Expand Down Expand Up @@ -108,5 +108,24 @@ public static void main(String[] args) throws Exception {
.shouldContain("Warning")
.shouldMatch("The generated secret key uses a 128-bit AES key.*considered a security risk")
.shouldHaveExitValue(0);

SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
"-genseckey -keyalg PBEWithMD5AndDES -alias pbekey1")
.shouldContain("Warning")
.shouldMatch("The generated secret key uses the PBEWithMD5AndDES algorithm.*considered a security risk")
.shouldHaveExitValue(0);

SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
"-genseckey -keyalg PBEWithSHA1AndDESede -alias pbekey2")
.shouldContain("Warning")
.shouldMatch("The generated secret key uses the PBEWithSHA1AndDESede algorithm.*considered a security risk")
.shouldHaveExitValue(0);

SecurityTools.setResponse("changeit", "changeit");
SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
"-importpass -keyalg PBEWithMD5AndDES -alias newentry")
.shouldContain("Warning")
.shouldMatch("The generated secret key uses the PBEWithMD5AndDES algorithm.*considered a security risk")
.shouldHaveExitValue(0);
}
}

1 comment on commit b00b70c

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.