Summary

Add the DES, DESede and MD5 algorithms to "jdk.security.legacyAlgorithms" security property in the java.security property file. Change keytool to emit warnings when one of these weak algorithms is used.

Problem

DES, DESede and MD5 are weak algorithms. keytool does not emit warnings when one of these algorithms is used for its commands associated with secret key entries in the keystore.

Solution

Update "jdk.security.legacyAlgorithms" security property to include DES, DESede and MD5. Change keytool to perform legacy algorithm constraint checking for its commands related to secret key entries. This enables keytool to generate warnings when it uses a weak secret key based algorithm or PBE algorithm.

Specification

Make the following changes to java.security property file:

--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -638,8 +638,7 @@
     SHA1 usage SignedJAR & denyAfter 2019-01-01

 #
-# Legacy algorithms for certification path (CertPath) processing and
-# signed JAR files.
+# Legacy cryptographic algorithms and key lengths.
 #
-# In some environments, a certain algorithm or key length may be undesirable
-# but is not yet disabled.
+# In some environments, a certain algorithm or key length may be undesirable.

@@ -655,7 +654,8 @@
 # implementations.

 jdk.security.legacyAlgorithms=SHA1, \
-    RSA keySize < 2048, DSA keySize < 2048
+    RSA keySize < 2048, DSA keySize < 2048, \
+    DES, DESede, MD5

 #
 # Algorithm restrictions for signed JAR files