Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8171319 keytool should print out warnings when reading or generating cert/cert req using weak algorithms
  3. JDK-8176087

Release Note: keytool now prints warnings when reading or generating certificates/certificate requests/CRLs using weak algorithms


    • Type: Sub-task
    • Status: Closed
    • Priority: P2
    • Resolution: Delivered
    • Affects Version/s: 7u171, 8u151, 9
    • Fix Version/s: 9
    • Component/s: security-libs



        With one exception, keytool will always print a warning if the certificate, certificate request, or CRL it is parsing, verifying, or generating is using a weak algorithm or key. When a certificate is from an existing `TrustedCertificateEntry`, either in the keystore directly operated on or in the `cacerts` keystore when the `-trustcacerts` option is specified for the `-importcert` command, keytool will not print a warning if it is signed with a weak signature algorithm. For example, suppose the file `cert` contains a CA certificate signed with a weak signature algorithm, `keytool -printcert -file cert` and `keytool -importcert -file cert -alias ca -keystore ks` will print out a warning, but after the last command imports it into the keystore, `keytool -list -alias ca -keystore ks` will not show a warning anymore.

        An algorithm or a key is weak if it matches the value of the `jdk.certpath.disabledAlgorithms` security property defined in the `conf/security/java.security` file.


            Issue Links



                • Assignee:
                  weijun Weijun Wang
                  weijun Weijun Wang
                • Votes:
                  0 Vote for this issue
                  2 Start watching this issue


                  • Created: