Summary

Add "jdk.security.legacyAlgorithms" security property to the java.security property file. The keytool and jarsigner tools will be enhanced to enforce the new property and to print out warnings when the legacy algorithms are used.This enables users to plan transitioning away from them.

Problem

The JDK currently rejects some weak algorithms (Ex: MD5) in a signed jar or a certificate using the "jdk.jar.disabledAlgorithms" and "jdk.certpath.disabledAlgorithms" security properties. The keytool and jarsigner tools currently enforce these properties and show proper warnings when a signed jar or certificate is using any of these disabled algorithms.

However, it would be useful to provide warnings on legacy algorithms that are becoming weak, so that users could begin to transition away from them, before they are actually disabled.

The first round of legacy algorithms include SHA1 and RSA/DSA keys less than 2048-bits.

Solution

Add new security property describing the weak algorithms and the minimum RSA/DSA key size requirement, and let jarsigner and keytool show warnings accordingly when either case is being detected.

Specification

A new security property is introduced with the default values:

#
# Legacy algorithms for certification path (CertPath) processing and
# signed JAR files.
#
# In some environments, a certain algorithm or key length may be undesirable
# but is not yet disabled.
#
# Tools such as keytool and jarsigner may emit warnings when these legacy
# algorithms are used. See the man pages for those tools for more information.
#
# The syntax is the same as the "jdk.certpath.disabledAlgorithms" and
# "jdk.jar.disabledAlgorithms" security properties.
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.

jdk.security.legacyAlgorithms=SHA1, \
    RSA keySize < 2048, DSA keySize < 2048

Notes:

keytool will use "jdk.certpath.disabledAlgorithms" and "jdk.security.legacyAlgorithms" security properties to decide which algorithm or key size is considered a security risk. Previously it used "jdk.certpath.disabledAlgorithms".

The warning message for the legacy algorithm found in "jdk.security.legacyAlgorithms" will be emitted as follows (using keytool -gencert as an example):

The generated certificate uses the SHA1withRSA signature algorithm which is
considered a security risk. This algorithm will be disabled in a future update.

For the disabled algorithm found in "jdk.certpath.disabledAlgorithms", the warning message will be:

The generated certificate uses the MD5withRSA signature algorithm which is
 considered a security risk and is disabled.

Signing a JAR file by jarsigner tool will use "jdk.jar.disabledAlgorithms" and "jdk.security.legacyAlgorithms" to decide which algorithm or key size is considered a security risk. Previously it used "jdk.jar.disabledAlgorithms".

The warning message for the legacy algorithm found in "jdk.security.legacyAlgorithms" will be emitted as follows:

The SHA1 algorithm specified for the -digestalg option is considered a security
risk. This algorithm will be disabled in a future update.

For the disabled algorithm found in "jdk.jar.disabledAlgorithms", the warning message will be:

The MD5 algorithm specified for the -digestalg option is considered a security
risk and is disabled.

If jarsigner is verifying a signed JAR using an algorithm that matches "jdk.security.legacyAlgorithms" but not "jdk.jar.disabledAlgorithms", it will be treated as signed, but one of the following informational warnings will be shown:

The SHA1 digest algorithm is considered a security risk. This algorithm will
be disabled in a future update.

The SHA1withRSA signature algorithm is considered a security risk. This
algorithm will be disabled in a future update.

When displaying algorithm information such as for verbose output in jarsigner -verify, keytool -printcert and -list commands, the "(weak)" is used for the legacy algorithms and "(disabled)" is used for the disabled algorithms.

For example, the “Signed by” messages for jarsigner -verify:

-Signed by “CN=test1"
Digest algorithm: SHA1 (weak)
Signature algorithm: SHA1withRSA (weak), 1024-bit key (weak)

-Signed by “CN=test2"
Digest algorithm: MD5 (disabled)
Signature algorithm: MD5withRSA (disabled), 512-bit key (disabled)

For signing and verifying a JAR using the -strict option, the exit code will be zero when the algorithm or key size is found in the "jdk.security.legacyAlgorithms" for informational warnings.