Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8238640

Tools should warn if weak algorithms are used before restricting them

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Add "jdk.security.legacyAlgorithms" security property to the java.security property file. The keytool and jarsigner tools will be enhanced to enforce the new property and to print out warnings when the legacy algorithms are used.This enables users to plan transitioning away from them.

      Problem

      The JDK currently rejects some weak algorithms (Ex: MD5) in a signed jar or a certificate using the "jdk.jar.disabledAlgorithms" and "jdk.certpath.disabledAlgorithms" security properties. The keytool and jarsigner tools currently enforce these properties and show proper warnings when a signed jar or certificate is using any of these disabled algorithms.

      However, it would be useful to provide warnings on legacy algorithms that are becoming weak, so that users could begin to transition away from them, before they are actually disabled.

      The first round of legacy algorithms include SHA1 and RSA/DSA keys less than 2048-bits.

      Solution

      Add new security property describing the weak algorithms and the minimum RSA/DSA key size requirement, and let jarsigner and keytool show warnings accordingly when either case is being detected.

      Specification

      A new security property is introduced with the default values:

      #
      # Legacy algorithms for certification path (CertPath) processing and
      # signed JAR files.
      #
      # In some environments, a certain algorithm or key length may be undesirable
      # but is not yet disabled.
      #
      # Tools such as keytool and jarsigner may emit warnings when these legacy
      # algorithms are used. See the man pages for those tools for more information.
      #
      # The syntax is the same as the "jdk.certpath.disabledAlgorithms" and
      # "jdk.jar.disabledAlgorithms" security properties.
      #
      # Note: This property is currently used by the JDK Reference
      # implementation. It is not guaranteed to be examined and used by other
      # implementations.
      
      jdk.security.legacyAlgorithms=SHA1, \
          RSA keySize < 2048, DSA keySize < 2048

      Notes:

      keytool will use "jdk.certpath.disabledAlgorithms" and "jdk.security.legacyAlgorithms" security properties to decide which algorithm or key size is considered a security risk. Previously it used "jdk.certpath.disabledAlgorithms".

      The warning message for the legacy algorithm found in "jdk.security.legacyAlgorithms" will be emitted as follows (using keytool -gencert as an example):

      The generated certificate uses the SHA1withRSA signature algorithm which is
      considered a security risk. This algorithm will be disabled in a future update.

      For the disabled algorithm found in "jdk.certpath.disabledAlgorithms", the warning message will be:

      The generated certificate uses the MD5withRSA signature algorithm which is
       considered a security risk and is disabled.

      Signing a JAR file by jarsigner tool will use "jdk.jar.disabledAlgorithms" and "jdk.security.legacyAlgorithms" to decide which algorithm or key size is considered a security risk. Previously it used "jdk.jar.disabledAlgorithms".

      The warning message for the legacy algorithm found in "jdk.security.legacyAlgorithms" will be emitted as follows:

      The SHA1 algorithm specified for the -digestalg option is considered a security
      risk. This algorithm will be disabled in a future update.

      For the disabled algorithm found in "jdk.jar.disabledAlgorithms", the warning message will be:

      The MD5 algorithm specified for the -digestalg option is considered a security
      risk and is disabled.

      If jarsigner is verifying a signed JAR using an algorithm that matches "jdk.security.legacyAlgorithms" but not "jdk.jar.disabledAlgorithms", it will be treated as signed, but one of the following informational warnings will be shown:

      The SHA1 digest algorithm is considered a security risk. This algorithm will
      be disabled in a future update.
      
      The SHA1withRSA signature algorithm is considered a security risk. This
      algorithm will be disabled in a future update.

      When displaying algorithm information such as for verbose output in jarsigner -verify, keytool -printcert and -list commands, the "(weak)" is used for the legacy algorithms and "(disabled)" is used for the disabled algorithms.

      For example, the “Signed by” messages for jarsigner -verify:

      -Signed by “CN=test1"
      Digest algorithm: SHA1 (weak)
      Signature algorithm: SHA1withRSA (weak), 1024-bit key (weak)
      
      -Signed by “CN=test2"
      Digest algorithm: MD5 (disabled)
      Signature algorithm: MD5withRSA (disabled), 512-bit key (disabled)

      For signing and verifying a JAR using the -strict option, the exit code will be zero when the algorithm or key size is found in the "jdk.security.legacyAlgorithms" for informational warnings.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hchao Haimay Chao
                Reporter:
                weijun Weijun Wang
                Reviewed By:
                Sean Mullan, Weijun Wang
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: