Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8228481

Upgrade the default PKCS12 encryption/MAC algorithms

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      medium
    • Compatibility Risk Description:
      Hide
      These are 2 kinds of compatibility impacts:

      1. Newly generated pkcs12 files will not be recognized by older versions of JDK. JDK 8u has a problem recognizing PBES2 parameters (JDK-8202837, JDK-8214513), and JDK 11u does not recognize HmacPBESHA256 (JDK-8076190).

      Even if the new keystore using stronger algorithm is recognized by an older version of JDK, when such a keystore is loaded and then stored by an old version of keytool, it will use weaker algorithms in certificate protection and integrity protection (MacData).

      2. Newly generated pkcs12 files might not be recognized by browsers and key/certificate managers on various systems. Only openssl and Windows Server 2019 supports these algorithms. They are not recognized by Windows Server 2016, macOS 10.15, and the latest Firefox.

      Since this is a crypto roadmap enhancement, we are most likely to backport this fix and JDK-8076190 to make sure #1 above do not happen after every release is updated to the latest baseline.

      As for #2, a keytool command can be used to downgrade a pkcs12 file to use weaker algorithms. ("keytool -J-Dkeystore.pkcs12.legacy -importkeystore").

      However, while other tools use pkcs12 as an exchange format, Java uses it as the primary keystore format. It makes sense to be more strict for Java when choosing default protection algorithms.

      One alternative is to only enhance the algorithm for key protection and leave the other 2 algorithms unchanged. This style will be recognized by Firefox but not macOS.
      Show
      These are 2 kinds of compatibility impacts: 1. Newly generated pkcs12 files will not be recognized by older versions of JDK. JDK 8u has a problem recognizing PBES2 parameters ( JDK-8202837 , JDK-8214513 ), and JDK 11u does not recognize HmacPBESHA256 ( JDK-8076190 ). Even if the new keystore using stronger algorithm is recognized by an older version of JDK, when such a keystore is loaded and then stored by an old version of keytool, it will use weaker algorithms in certificate protection and integrity protection (MacData). 2. Newly generated pkcs12 files might not be recognized by browsers and key/certificate managers on various systems. Only openssl and Windows Server 2019 supports these algorithms. They are not recognized by Windows Server 2016, macOS 10.15, and the latest Firefox. Since this is a crypto roadmap enhancement, we are most likely to backport this fix and JDK-8076190 to make sure #1 above do not happen after every release is updated to the latest baseline. As for #2, a keytool command can be used to downgrade a pkcs12 file to use weaker algorithms. ("keytool -J-Dkeystore.pkcs12.legacy -importkeystore"). However, while other tools use pkcs12 as an exchange format, Java uses it as the primary keystore format. It makes sense to be more strict for Java when choosing default protection algorithms. One alternative is to only enhance the algorithm for key protection and leave the other 2 algorithms unchanged. This style will be recognized by Firefox but not macOS.
    • Interface Kind:
      System or security property, File or wire format
    • Scope:
      JDK

      Description

      Summary

      Upgrade the default agorithms used in PKCS 12 to use new PBES2 based encryption and stronger algorithms like AES and SHA-2.

      Problem

      PKCS12 is the default keystore format since JDK 9, but we have been using weak algorithms which was the standard of 1990s. The algorithms are becoming a security issue now especially for the key protection algorithms which is used to protect private keys.

      Many OSes and browsers have since adopted stronger algorithms but the level of support is not consistent among them. The strong key algorithm is now supported by all major OSes and browsers, but algorithms for certificate protection and integrity protection are not.

      The latest Windows Server 2019 now provides two options when exporting private keys into a pkcs12 file: "legacy" and "stronger".

      Solution

      Upgrade the algorithms used in certificate encryption, key encryption, and integrity protection to the values as described in the specification below. These algorithms are the same as the stronger algorithms used in Windows Server 2019.

      We will also define a new system property, that when set, will override the settings above to use the older, weaker algorithms.

      Specification

      First, make the following change in java.security.

      diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
      --- a/src/java.base/share/conf/security/java.security
      +++ b/src/java.base/share/conf/security/java.security
      @@ -1118,8 +1118,8 @@
       # The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
       # algorithm defined in the Cipher section of the Java Security Standard
       # Algorithm Names Specification. When set to "NONE", the certificate
      -# is not encrypted. The default value is "PBEWithSHA1AndRC2_40".
      -#keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
      +# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256".
      +#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
      
       # The iteration count used by the PBE algorithm when encrypting a certificate.
       # This value must be a positive integer. The default value is 50000.
      @@ -1128,8 +1128,8 @@
       # The algorithm used to encrypt a private key or secret key. This can be
       # any non-Hmac PBE algorithm defined in the Cipher section of the Java
       # Security Standard Algorithm Names Specification. The value must not be "NONE".
      -# The default value is "PBEWithSHA1AndDESede".
      -#keystore.pkcs12.keyProtectionAlgorithm = PBEWithSHA1AndDESede
      +# The default value is "PBEWithHmacSHA256AndAES_256".
      +#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
      
       # The iteration count used by the PBE algorithm when encrypting a private key
       # or a secret key. This value must be a positive integer. The default value
      @@ -1139,8 +1139,8 @@
       # The algorithm used to calculate the optional MacData at the end of a PKCS12
       # file. This can be any HmacPBE algorithm defined in the Mac section of the
       # Java Security Standard Algorithm Names Specification. When set to "NONE",
      -# no Mac is generated. The default value is "HmacPBESHA1".
      -#keystore.pkcs12.macAlgorithm = HmacPBESHA1
      +# no Mac is generated. The default value is "HmacPBESHA256".
      +#keystore.pkcs12.macAlgorithm = HmacPBESHA256
      
       # The iteration count used by the MacData algorithm. This value must be a
       # positive integer. The default value is 100000.

      Thr iteration counts used by key protection, certificate protection, and MacData remain the same.

      Second, define a new system property named keystore.pkcs12.legacy that will automatically override the system/security properties above to use the older, weaker algorithms (which is equivalent to -Dkeystore.pkcs12.certProtectionAlgorithm=PBEWithSHA1AndRC2_40 -Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndDESede -Dkeystore.pkcs12.macAlgorithm=HmacPBESHA1 -Dkeystore.pkcs12.certPbeIterationCount=50000 -Dkeystore.pkcs12.keyPbeIterationCount=50000 -Dkeystore.pkcs12.macIterationCount=100000). There is no value defined for this property.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                vinnie Vincent Ryan
                Reviewed By:
                Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: