Summary

Remove the default -keyalg value for -genkeypair and -genseckey commands of keytool, so that if user has not explicitly specified one it will be an error.

Problem

The default values (DSA and DES) were deprecated in JDK 12 and it's now time to remove them. In addition, NIST has recently (2019-10-31, https://www.federalregister.gov/documents/2019/10/31/2019-23742/request-for-comments-on-fips-186-5-and-sp-800-186) proposed removing DSA in its FIPS 186-5 draft, claiming that "Industry adoption of DSA was limited" and "recent academic analysis observed that implementations of DSA may be vulnerable to attacks if domain parameters are not properly generated". DES has been considered weak and obsolete for a long time, see https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard and https://tools.ietf.org/html/rfc4772.

Solution

Removes the default values.

Specification

For keytool -genkeypair and keytool -genseckey, if no -keyalg is specified, no key will be generated and keytool will terminate with an error showing:

The -keyalg option must be specified.