Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8177569

keytool should not warn if signature algorithm used in cacerts is weak

    Details

    • Subcomponent:
    • Introduced In Version:
      9
    • Resolved In Build:
      b164
    • Verification:
      Verified

      Backports

        Description

        Currently keytool warns about weak signature algorithms used by a certificate. However, if that certificate is in cacerts it should not be an issue. In fact, the certificate is pre-validated and we don't check the signature at all in Java.

          Issue Links

            Activity

            Hide
            weijun Weijun Wang added a comment - - edited
            Fix request:

            We don't check for root CA's signature algorithm in CertPath API and the keytool warnings should be consistent with it. Since the warnings are newly added into JDK 9, it's better to be correct from the beginning to avoid any confusion. The fix is straight forward and focused on the problem itself and has a low risk. A new test case is also added.

            The proposed fix is in code review now at http://cr.openjdk.java.net/~weijun/8177569/webrev.00/.
            Show
            weijun Weijun Wang added a comment - - edited Fix request: We don't check for root CA's signature algorithm in CertPath API and the keytool warnings should be consistent with it. Since the warnings are newly added into JDK 9, it's better to be correct from the beginning to avoid any confusion. The fix is straight forward and focused on the problem itself and has a low risk. A new test case is also added. The proposed fix is in code review now at http://cr.openjdk.java.net/~weijun/8177569/webrev.00/ .
            Hide
            mullan Sean Mullan added a comment -
            Fix request approved.

            This fix is needed to avoid false warnings being generated by keytool on root certificates in the cacerts keystore.
            Show
            mullan Sean Mullan added a comment - Fix request approved. This fix is needed to avoid false warnings being generated by keytool on root certificates in the cacerts keystore.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/b79469412aa0
            User: weijun
            Date: 2017-03-29 23:31:23 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/b79469412aa0 User: weijun Date: 2017-03-29 23:31:23 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/b79469412aa0
            User: lana
            Date: 2017-04-05 18:30:57 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/b79469412aa0 User: lana Date: 2017-04-05 18:30:57 +0000

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                weijun Weijun Wang
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: