Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8212111

Deprecating the default keytool -keyalg value

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 12
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      The default value is only deprecated and not removed. The warning is informational and does not change the exit code of keytool. A script that tries to compare output character by character will notice a small difference.
    • Interface Kind:
      add/remove/modify command line option
    • Scope:
      JDK

      Description

      Summary

      Deprecate the default -keyalg value for -genkeypair and -genseckey commands of keytool, so that if user has not explicitly specified one there will be a warning.

      Problem

      The current default -keyalg value is "DSA" for -genkeypair and "DES" for -genseckey. Both are legacy algorithms that are not used in modern security related protocols.

      Solution

      Deprecate the default -keyalg value for these two commands and recommend user to explicitly specify one. Cryptography is evolving all the time and it was probably a mistake that we chose a default -keyalg value when keytool was created. Also, not having a default -keyalg value makes the user specify what they want, perhaps learning about certificates and making an educated choice.

      We plan to remove the default value in a future release.

      Specification

      For keytool -genkeypair, if no -keyalg is specified, the following warning will be shown:

      Warning: No -keyalg option. The default key algorithm (DSA) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified.

      For keytool -genseckey, the "DES" algorithm name is shown instead.

      For both commands, no matter if -keyalg is specified or not, after the key is successfully created, there will be an informational text showing what kind of key is created, including the key algorithm and signature algorithm (if relevant). For example:

      Generating 2,048 bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 90 days for: CN=X

      For the keytool.html document, remove the "-keyalg" item in the default value box of the "Examples of Option Values" section.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                mullan Sean Mullan
                Reviewed By:
                Sean Mullan, Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: