8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms
Reviewed-by: mullan, weijun
This commit is contained in:
parent
4d30a1e8d1
commit
09e6ee96bd
src/java.base/share
test/jdk/sun/security/tools/keytool
@ -63,6 +63,7 @@ import java.util.Base64;
|
||||
|
||||
import sun.security.pkcs12.PKCS12KeyStore;
|
||||
import sun.security.provider.certpath.CertPathConstraintsParameters;
|
||||
import sun.security.util.ConstraintsParameters;
|
||||
import sun.security.util.ECKeySizeParameterSpec;
|
||||
import sun.security.util.KeyUtil;
|
||||
import sun.security.util.NamedCurve;
|
||||
@ -1869,6 +1870,11 @@ public final class Main {
|
||||
Object[] source = {keysize,
|
||||
secKey.getAlgorithm()};
|
||||
System.err.println(form.format(source));
|
||||
|
||||
SecretKeyConstraintsParameters skcp =
|
||||
new SecretKeyConstraintsParameters(secKey);
|
||||
checkWeakConstraint(rb.getString("the.generated.secretkey"),
|
||||
secKey, skcp);
|
||||
}
|
||||
|
||||
if (keyPass == null) {
|
||||
@ -2184,6 +2190,23 @@ public final class Main {
|
||||
} else {
|
||||
out.println("SecretKeyEntry, ");
|
||||
}
|
||||
|
||||
try {
|
||||
SecretKey secKey = (SecretKey) keyStore.getKey(alias, storePass);
|
||||
SecretKeyConstraintsParameters skcp =
|
||||
new SecretKeyConstraintsParameters(secKey);
|
||||
checkWeakConstraint(label, secKey, skcp);
|
||||
} catch (UnrecoverableKeyException e) {
|
||||
/*
|
||||
* UnrecoverableKeyException will be thrown for any secret key
|
||||
* entries that are protected by a different password than
|
||||
* storePass, and we will not be able to check the constraints
|
||||
* because we do not have the keyPass for this operation.
|
||||
* This may occurs for keystores such as JCEKS. Note that this
|
||||
* is not really a new issue as details about secret key entries
|
||||
* other than the fact they exist as entries are not listed.
|
||||
*/
|
||||
}
|
||||
} else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
|
||||
if (verbose || rfc || debug) {
|
||||
Object[] source = {"PrivateKeyEntry"};
|
||||
@ -2489,13 +2512,23 @@ public final class Main {
|
||||
}
|
||||
|
||||
try {
|
||||
keyStore.setEntry(newAlias, entry, pp);
|
||||
Certificate c = srckeystore.getCertificate(alias);
|
||||
if (c != null) {
|
||||
CertPathConstraintsParameters cpcp =
|
||||
buildCertPathConstraint((X509Certificate)c, null);
|
||||
checkWeakConstraint("<" + newAlias + ">", c, cpcp);
|
||||
} else {
|
||||
try {
|
||||
Key key = keyStore.getKey(newAlias, newPass);
|
||||
SecretKeyConstraintsParameters skcp =
|
||||
new SecretKeyConstraintsParameters(key);
|
||||
checkWeakConstraint("<" + newAlias + ">", (SecretKey)key, skcp);
|
||||
} catch (UnrecoverableKeyException e) {
|
||||
// skip
|
||||
}
|
||||
}
|
||||
keyStore.setEntry(newAlias, entry, pp);
|
||||
|
||||
// Place the check so that only successful imports are blocked.
|
||||
// For example, we don't block a failed SecretEntry import.
|
||||
if (P12KEYSTORE.equalsIgnoreCase(storetype) && !isPasswordlessKeyStore) {
|
||||
@ -5009,6 +5042,38 @@ public final class Main {
|
||||
}
|
||||
}
|
||||
|
||||
private void checkWeakConstraint(String label, SecretKey secKey,
|
||||
SecretKeyConstraintsParameters skcp) {
|
||||
// Do not check disabled algorithms for symmetric key based algorithms for now
|
||||
String secKeyAlg = secKey.getAlgorithm();
|
||||
/*
|
||||
* Skipping a secret key entry if its algorithm starts with "PBE".
|
||||
* This is because keytool can only see it as a PBE key and "PBE" is
|
||||
* an alias of "PBEwithMD5andDES" inside the SunJCE security provider,
|
||||
* and its getAlgorithm() always returns "PBEwithMD5andDES". Thus, keytool
|
||||
* won't be able to determine whether this secret key entry is protected
|
||||
* by a weak algorithm or not.
|
||||
*/
|
||||
if (secKeyAlg.startsWith("PBE"))
|
||||
return;
|
||||
|
||||
try {
|
||||
LEGACY_CHECK.permits(secKeyAlg, skcp, true);
|
||||
} catch (CertPathValidatorException e) {
|
||||
String eMessage = e.getMessage();
|
||||
if (eMessage.contains("constraints check failed on keysize limits") &&
|
||||
e.getReason() == BasicReason.ALGORITHM_CONSTRAINED) {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("key.size.weak"), label,
|
||||
String.format(rb.getString("key.bit"),
|
||||
KeyUtil.getKeySize(secKey), secKeyAlg)));
|
||||
} else {
|
||||
weakWarnings.add(String.format(
|
||||
rb.getString("key.algorithm.weak"), label, secKeyAlg));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void checkWeakConstraint(String label, PKCS10 p10,
|
||||
CertPathConstraintsParameters cpcp) throws Exception {
|
||||
checkWeakConstraint(label, p10.getSigAlg(),
|
||||
@ -5206,6 +5271,38 @@ public final class Main {
|
||||
tinyHelp();
|
||||
return null; // Useless, tinyHelp() already exits.
|
||||
}
|
||||
|
||||
private static class SecretKeyConstraintsParameters implements ConstraintsParameters {
|
||||
private final Key key;
|
||||
private SecretKeyConstraintsParameters(Key key) {
|
||||
this.key = key;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean anchorIsJdkCA() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set<Key> getKeys() {
|
||||
return Set.of(key);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Date getDate() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getVariant() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String extendedExceptionMsg() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// This class is exactly the same as com.sun.tools.javac.util.Pair,
|
||||
|
@ -72,6 +72,8 @@ public class Resources extends java.util.ListResourceBundle {
|
||||
"Generated {0} secret key"}, //-genseckey
|
||||
{"Generated.keysize.bit.keyAlgName.secret.key",
|
||||
"Generated {0}-bit {1} secret key"}, //-genseckey
|
||||
{"key.algorithm.weak", "%1$s uses the %2$s algorithm which is considered a security risk."},
|
||||
{"key.size.weak", "%1$s uses a %2$s which is considered a security risk."},
|
||||
{"Imports.entries.from.a.JDK.1.1.x.style.identity.database",
|
||||
"Imports entries from a JDK 1.1.x-style identity database"}, //-identitydb
|
||||
{"Imports.a.certificate.or.a.certificate.chain",
|
||||
@ -456,6 +458,7 @@ public class Resources extends java.util.ListResourceBundle {
|
||||
// generating cert/cert req using weak algorithms
|
||||
{"the.certificate.request", "The certificate request"},
|
||||
{"the.issuer", "The issuer"},
|
||||
{"the.generated.secretkey", "The generated secret key"},
|
||||
{"the.generated.certificate", "The generated certificate"},
|
||||
{"the.generated.crl", "The generated CRL"},
|
||||
{"the.generated.certificate.request", "The generated certificate request"},
|
||||
@ -485,7 +488,7 @@ public class Resources extends java.util.ListResourceBundle {
|
||||
{"whose.sigalg.disabled", "%1$s uses the %2$s signature algorithm which is considered a security risk and is disabled."},
|
||||
{"whose.sigalg.usagesignedjar", "%1$s uses the %2$s signature algorithm which is considered a security risk and cannot be used to sign JARs after %3$s."},
|
||||
{"Unable.to.parse.denyAfter.string.in.exception.message", "Unable to parse denyAfter date string in exception message"},
|
||||
{"whose.sigalg.weak", "%1$s uses the %2$s signature algorithm which is considered a security risk. This algorithm will be disabled in a future update."},
|
||||
{"whose.sigalg.weak", "%1$s uses the %2$s signature algorithm which is considered a security risk."},
|
||||
{"whose.key.disabled", "%1$s uses a %2$s which is considered a security risk and is disabled."},
|
||||
{"whose.key.weak", "%1$s uses a %2$s which is considered a security risk. This key size will be disabled in a future update."},
|
||||
{"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
|
||||
|
@ -638,11 +638,9 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
|
||||
SHA1 usage SignedJAR & denyAfter 2019-01-01
|
||||
|
||||
#
|
||||
# Legacy algorithms for certification path (CertPath) processing and
|
||||
# signed JAR files.
|
||||
# Legacy cryptographic algorithms and key lengths.
|
||||
#
|
||||
# In some environments, a certain algorithm or key length may be undesirable
|
||||
# but is not yet disabled.
|
||||
# In some environments, a certain algorithm or key length may be undesirable.
|
||||
#
|
||||
# Tools such as keytool and jarsigner may emit warnings when these legacy
|
||||
# algorithms are used. See the man pages for those tools for more information.
|
||||
@ -655,7 +653,8 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
|
||||
# implementations.
|
||||
|
||||
jdk.security.legacyAlgorithms=SHA1, \
|
||||
RSA keySize < 2048, DSA keySize < 2048
|
||||
RSA keySize < 2048, DSA keySize < 2048, \
|
||||
DES, DESede, MD5
|
||||
|
||||
#
|
||||
# Algorithm restrictions for signed JAR files
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -159,7 +159,7 @@ public class ReadJar {
|
||||
.shouldContain("Certificate #1:")
|
||||
.shouldContain("Certificate #2:")
|
||||
.shouldContain("Signer #2:")
|
||||
.shouldMatch("The certificate #.* of signer #.*" + "uses the SHA1withRSA.*will be disabled")
|
||||
.shouldMatch("The certificate #.* of signer #.*" + "uses the SHA1withRSA.*considered a security risk")
|
||||
.shouldMatch("The certificate #.* of signer #.*" + "uses a 512-bit RSA key.*is disabled")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2017, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -156,15 +156,15 @@ public class WeakAlg {
|
||||
// (w/ different formats)
|
||||
checkWeakGenKeyPair("x", "-keyalg RSA -sigalg SHA1withRSA", "SHA1withRSA");
|
||||
checkWeakGenKeyPair("y", "-keyalg RSA -keysize 1024", "1024-bit RSA key");
|
||||
checkWeakGenKeyPair("z", "-keyalg RSA", null);
|
||||
checkWeakGenKeyPair("z", "-keyalg RSA", "nowarn");
|
||||
|
||||
kt("-list")
|
||||
.shouldContain("Warning:")
|
||||
.shouldMatch("<x>.*SHA1withRSA.*will be disabled")
|
||||
.shouldMatch("<x>.*SHA1withRSA.*considered a security risk")
|
||||
.shouldMatch("<y>.*1024-bit RSA key.*will be disabled");
|
||||
kt("-list -v")
|
||||
.shouldContain("Warning:")
|
||||
.shouldMatch("<x>.*SHA1withRSA.*will be disabled")
|
||||
.shouldMatch("<x>.*SHA1withRSA.*considered a security risk")
|
||||
.shouldContain("SHA1withRSA (weak)")
|
||||
.shouldMatch("<y>.*1024-bit RSA key.*will be disabled")
|
||||
.shouldContain("1024-bit RSA key (weak)");
|
||||
@ -173,21 +173,21 @@ public class WeakAlg {
|
||||
// or -list or -exportcert
|
||||
|
||||
// -certreq, -printcertreq, -gencert
|
||||
checkWeakCertReq("x", "", null);
|
||||
checkWeakCertReq("x", "", "nowarn");
|
||||
gencert("z-x", "")
|
||||
.shouldNotContain("Warning"); // new sigalg is not weak
|
||||
gencert("z-x", "-sigalg SHA1withRSA")
|
||||
.shouldContain("Warning:")
|
||||
.shouldMatch("The generated certificate.*SHA1withRSA.*will be disabled");
|
||||
.shouldMatch("The generated certificate.*SHA1withRSA.*considered a security risk");
|
||||
|
||||
checkWeakCertReq("x", "-sigalg SHA1withRSA", "SHA1withRSA");
|
||||
gencert("z-x", "")
|
||||
.shouldContain("Warning:")
|
||||
.shouldMatch("The certificate request.*SHA1withRSA.*will be disabled");
|
||||
.shouldMatch("The certificate request.*SHA1withRSA.*considered a security risk");
|
||||
gencert("z-x", "-sigalg SHA1withRSA")
|
||||
.shouldContain("Warning:")
|
||||
.shouldMatch("The certificate request.*SHA1withRSA.*will be disabled")
|
||||
.shouldMatch("The generated certificate.*SHA1withRSA.*will be disabled");
|
||||
.shouldMatch("The certificate request.*SHA1withRSA.*considered a security risk")
|
||||
.shouldMatch("The generated certificate.*SHA1withRSA.*considered a security risk");
|
||||
|
||||
checkWeakCertReq("y", "", "1024-bit RSA key");
|
||||
gencert("z-y", "")
|
||||
@ -195,10 +195,10 @@ public class WeakAlg {
|
||||
.shouldMatch("The certificate request.*1024-bit RSA key.*will be disabled")
|
||||
.shouldMatch("The generated certificate.*1024-bit RSA key.*will be disabled");
|
||||
|
||||
checkWeakCertReq("z", "", null);
|
||||
checkWeakCertReq("z", "", "nowarn");
|
||||
gencert("x-z", "")
|
||||
.shouldContain("Warning:")
|
||||
.shouldMatch("The issuer.*SHA1withRSA.*will be disabled");
|
||||
.shouldMatch("The issuer.*SHA1withRSA.*considered a security risk");
|
||||
|
||||
// but the new cert is not weak
|
||||
kt("-printcert -file x-z.cert")
|
||||
@ -210,10 +210,10 @@ public class WeakAlg {
|
||||
.shouldMatch("The issuer.*1024-bit RSA key.*will be disabled");
|
||||
|
||||
// -gencrl, -printcrl
|
||||
checkWeakGenCRL("x", "", null);
|
||||
checkWeakGenCRL("x", "", "nowarn");
|
||||
checkWeakGenCRL("x", "-sigalg SHA1withRSA", "SHA1withRSA");
|
||||
checkWeakGenCRL("y", "", "1024-bit RSA key");
|
||||
checkWeakGenCRL("z", "", null);
|
||||
checkWeakGenCRL("z", "", "nowarn");
|
||||
|
||||
kt("-delete -alias y");
|
||||
kt("-printcrl -file y.crl")
|
||||
@ -730,63 +730,114 @@ public class WeakAlg {
|
||||
String alias, String options, String bad) {
|
||||
|
||||
OutputAnalyzer oa = genkeypair(alias, options);
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-exportcert -alias " + alias + " -file " + alias + ".cert");
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-exportcert -rfc -alias " + alias + " -file " + alias + ".cert");
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-printcert -rfc -file " + alias + ".cert");
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-list -alias " + alias);
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
// With cert content
|
||||
|
||||
oa = kt("-printcert -file " + alias + ".cert");
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldContain(bad + " (weak)")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldContain(bad + " (weak)")
|
||||
.shouldMatch("The certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldContain(bad + " (weak)")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-list -v -alias " + alias);
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldContain(bad + " (weak)")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldContain(bad + " (weak)")
|
||||
.shouldMatch("The certificate.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldContain(bad + " (weak)")
|
||||
.shouldMatch("The certificate.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -795,23 +846,39 @@ public class WeakAlg {
|
||||
|
||||
OutputAnalyzer oa = kt("-gencrl -alias " + alias
|
||||
+ " -id 1 -file " + alias + ".crl " + options);
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated CRL.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated CRL.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated CRL.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-printcrl -file " + alias + ".crl");
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning")
|
||||
.shouldContain("Verified by " + alias + " in keystore")
|
||||
.shouldNotContain("(weak");
|
||||
} else {
|
||||
oa.shouldContain("Warning:")
|
||||
.shouldMatch("The CRL.*" + bad + ".*will be disabled")
|
||||
.shouldContain("Verified by " + alias + " in keystore")
|
||||
.shouldContain(bad + " (weak)");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning")
|
||||
.shouldContain("Verified by " + alias + " in keystore")
|
||||
.shouldNotContain("(weak");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The CRL.*" + bad + ".*considered a security risk")
|
||||
.shouldContain("Verified by " + alias + " in keystore")
|
||||
.shouldContain(bad + " (weak)");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The CRL.*" + bad + ".*will be disabled")
|
||||
.shouldContain("Verified by " + alias + " in keystore")
|
||||
.shouldContain(bad + " (weak)");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -819,21 +886,36 @@ public class WeakAlg {
|
||||
String alias, String options, String bad) {
|
||||
|
||||
OutputAnalyzer oa = certreq(alias, options);
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated certificate request.*" + bad + ".*will be disabled");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated certificate request.*" + bad + ".*considered a security risk");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The generated certificate request.*" + bad + ".*will be disabled");
|
||||
break;
|
||||
}
|
||||
|
||||
oa = kt("-printcertreq -file " + alias + ".req");
|
||||
if (bad == null) {
|
||||
oa.shouldNotContain("Warning")
|
||||
.shouldNotContain("(weak)");
|
||||
} else {
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate request.*" + bad + ".*will be disabled")
|
||||
.shouldContain(bad + " (weak)");
|
||||
switch (bad) {
|
||||
case "nowarn":
|
||||
oa.shouldNotContain("Warning")
|
||||
.shouldNotContain("(weak)");
|
||||
break;
|
||||
case "SHA1withRSA":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate request.*" + bad + ".*considered a security risk")
|
||||
.shouldContain(bad + " (weak)");
|
||||
break;
|
||||
case "1024-bit RSA key":
|
||||
oa.shouldContain("Warning")
|
||||
.shouldMatch("The certificate request.*" + bad + ".*will be disabled")
|
||||
.shouldContain(bad + " (weak)");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
94
test/jdk/sun/security/tools/keytool/WeakSecretKeyTest.java
Normal file
94
test/jdk/sun/security/tools/keytool/WeakSecretKeyTest.java
Normal file
@ -0,0 +1,94 @@
|
||||
/*
|
||||
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
* or visit www.oracle.com if you need additional information or have any
|
||||
* questions.
|
||||
*/
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8255552
|
||||
* @summary Test keytool commands associated with secret key entries which use weak algorithms
|
||||
* @library /test/lib
|
||||
*/
|
||||
|
||||
import jdk.test.lib.SecurityTools;
|
||||
import jdk.test.lib.process.OutputAnalyzer;
|
||||
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Paths;
|
||||
|
||||
public class WeakSecretKeyTest {
|
||||
|
||||
private static final String JAVA_SECURITY_FILE = "java.security";
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
|
||||
"-genseckey -keyalg DESede -alias des3key")
|
||||
.shouldContain("Warning")
|
||||
.shouldMatch("The generated secret key uses the DESede algorithm.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
|
||||
"-genseckey -keyalg DES -alias deskey")
|
||||
.shouldContain("Warning")
|
||||
.shouldMatch("The generated secret key uses the DES algorithm.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
|
||||
"-genseckey -keyalg AES -alias aeskey -keysize 256")
|
||||
.shouldNotContain("Warning")
|
||||
.shouldNotMatch("The generated secret key uses the AES algorithm.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
|
||||
"-list -v")
|
||||
.shouldContain("Warning")
|
||||
.shouldMatch("<des3key> uses the DESede algorithm.*considered a security risk")
|
||||
.shouldMatch("<deskey> uses the DES algorithm.*considered a security risk")
|
||||
.shouldNotMatch("<aeskey> uses the AES algorithm.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
SecurityTools.setResponse("changeit", "changeit");
|
||||
SecurityTools.keytool("-importkeystore -srckeystore ks.p12 -destkeystore ks.new " +
|
||||
"-deststoretype pkcs12 -srcstorepass changeit ")
|
||||
.shouldContain("Warning")
|
||||
.shouldMatch("<des3key> uses the DESede algorithm.*considered a security risk")
|
||||
.shouldMatch("<deskey> uses the DES algorithm.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
SecurityTools.keytool("-keystore ks.new -storepass changeit " +
|
||||
"-list -v")
|
||||
.shouldContain("Warning")
|
||||
.shouldMatch("<des3key> uses the DESede algorithm.*considered a security risk")
|
||||
.shouldMatch("<deskey> uses the DES algorithm.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
|
||||
Files.writeString(Files.createFile(Paths.get(JAVA_SECURITY_FILE)),
|
||||
"jdk.security.legacyAlgorithms=AES keySize < 256\n");
|
||||
|
||||
SecurityTools.keytool("-keystore ks.p12 -storepass changeit " +
|
||||
"-genseckey -keyalg AES -alias aeskey1 -keysize 128 " +
|
||||
"-J-Djava.security.properties=" +
|
||||
JAVA_SECURITY_FILE)
|
||||
.shouldContain("Warning")
|
||||
.shouldMatch("The generated secret key uses a 128-bit AES key.*considered a security risk")
|
||||
.shouldHaveExitValue(0);
|
||||
}
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user