stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8212003: Deprecating the default keytool -keyalg option

Browse Source 
Reviewed-by: mullan, xuelei
This commit is contained in:
Weijun Wang 2018-11-17 18:11:23 +08:00
parent 3e936d3cd9
commit c20332c412
5 changed files with 88 additions and 22 deletions
src/java.base/share/classes/sun/security/tools/keytool
Main.javaResources.java
test/jdk/sun/security/tools/keytool
DeprecateKeyalg.javaKeyToolTest.javaWeakAlg.java

35
src/java.base/share/classes/sun/security/tools/keytool/Main.java

@ -1123,12 +1123,16 @@ public final class Main {
} else if (command == GENKEYPAIR) {
if (keyAlgName == null) {
keyAlgName = "DSA";
weakWarnings.add(String.format(rb.getString(
"keyalg.option.1.missing.warning"), keyAlgName));
}
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
kssave = true;
} else if (command == GENSECKEY) {
if (keyAlgName == null) {
keyAlgName = "DES";
weakWarnings.add(String.format(rb.getString(
"keyalg.option.1.missing.warning"), keyAlgName));
}
doGenSecretKey(alias, keyAlgName, keysize);
kssave = true;
@ -1758,13 +1762,11 @@ public final class Main {
keygen.init(keysize);
secKey = keygen.generateKey();
if (verbose) {
MessageFormat form = new MessageFormat(rb.getString
("Generated.keysize.bit.keyAlgName.secret.key"));
Object[] source = {keysize,
secKey.getAlgorithm()};
System.err.println(form.format(source));
}
MessageFormat form = new MessageFormat(rb.getString
("Generated.keysize.bit.keyAlgName.secret.key"));
Object[] source = {keysize,
secKey.getAlgorithm()};
System.err.println(form.format(source));
}
if (keyPass == null) {
@ -1841,6 +1843,7 @@ public final class Main {
// If DN is provided, parse it. Otherwise, prompt the user for it.
X500Name x500Name;
if (dname == null) {
printWeakWarnings(true);
x500Name = getX500Name();
} else {
x500Name = new X500Name(dname);
@ -1866,16 +1869,14 @@ public final class Main {
chain[0] = keypair.getSelfCertificate(
x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
if (verbose) {
MessageFormat form = new MessageFormat(rb.getString
("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
Object[] source = {keysize,
privKey.getAlgorithm(),
chain[0].getSigAlgName(),
validity,
x500Name};
System.err.println(form.format(source));
}
MessageFormat form = new MessageFormat(rb.getString
("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
Object[] source = {keysize,
privKey.getAlgorithm(),
chain[0].getSigAlgName(),
validity,
x500Name};
System.err.println(form.format(source));
if (keyPass == null) {
keyPass = promptForKeyPass(alias, null, storePass);

1
src/java.base/share/classes/sun/security/tools/keytool/Resources.java

@ -481,6 +481,7 @@ public class Resources extends java.util.ListResourceBundle {
{"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
{"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
{"importing.keystore.status", "Importing keystore %1$s to %2$s..."},
{"keyalg.option.1.missing.warning", "No -keyalg option. The default key algorithm (%s) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified."},
};

64
test/jdk/sun/security/tools/keytool/DeprecateKeyalg.java Normal file

@ -0,0 +1,64 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;
/**
* @test
* @bug 8212003
* @summary Deprecating the default keytool -keyalg option
* @library /test/lib
*/
public class DeprecateKeyalg {
private static final String COMMON = "-keystore ks -storetype jceks "
+ "-storepass changeit -keypass changeit";
public static void main(String[] args) throws Throwable {
kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
.shouldContain("Generating")
.shouldNotContain("-keyalg option must be specified");
kt("-genkeypair -alias b -dname CN=B")
.shouldContain("Generating")
.shouldContain("default key algorithm (DSA)")
.shouldContain("-keyalg option must be specified");
kt("-genseckey -keyalg DES -alias c")
.shouldContain("Generated")
.shouldNotContain("-keyalg option must be specified");
kt("-genseckey -alias d")
.shouldContain("Generated")
.shouldContain("default key algorithm (DES)")
.shouldContain("-keyalg option must be specified");
}
private static OutputAnalyzer kt(String cmd) throws Throwable {
return SecurityTools.keytool(COMMON + " " + cmd)
.shouldHaveExitValue(0);
}
}

8
test/jdk/sun/security/tools/keytool/KeyToolTest.java

@ -638,12 +638,12 @@ public class KeyToolTest {
"-genkeypair -alias p1 -dname CN=olala");
// when specify keypass, make sure keypass==storepass...
testOK("changeit\n", "-keystore x.p12 -keypass changeit " +
"-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
"-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
assertTrue(err.indexOf("Warning") == -1,
"PKCS12 silent when keypass == storepass");
// otherwise, print a warning
testOK("changeit\n", "-keystore x.p12 -keypass another" +
" -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
" -storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
assertTrue(err.indexOf("Warning") != -1,
"PKCS12 warning when keypass != storepass");
// no -keypasswd for PKCS12
@ -663,12 +663,12 @@ public class KeyToolTest {
"-genkeypair -alias p1 -dname CN=olala");
// when specify keypass, make sure keypass==storepass...
testOK("", "-storepass changeit -keystore x.p12 -keypass changeit " +
"-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
"-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
assertTrue(err.indexOf("Warning") == -1,
"PKCS12 silent when keypass == storepass");
// otherwise, print a warning
testOK("", "-storepass changeit -keystore x.p12 -keypass another " +
"-storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
"-storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
assertTrue(err.indexOf("Warning") != -1,
"PKCS12 warning when keypass != storepass");

2
test/jdk/sun/security/tools/keytool/WeakAlg.java

@ -158,7 +158,7 @@ public class WeakAlg {
rm("ks");
rm("ks2");
kt("-genkeypair -alias a -dname CN=A")
kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
.shouldNotContain("Warning:");
kt("-list")
.shouldNotContain("Warning:");