Details
-
CSR
-
Resolution: Approved
-
P4
-
None
-
behavioral
-
minimal
-
System or security property
-
JDK
Description
Summary
Add the DES, DESede and MD5 algorithms to "jdk.security.legacyAlgorithms" security property in the java.security property file. Change keytool to emit warnings when one of these weak algorithms is used.
Problem
DES, DESede and MD5 are weak algorithms. keytool does not emit warnings when one of these algorithms is used for its commands associated with secret key entries in the keystore.
Solution
Update "jdk.security.legacyAlgorithms" security property to include DES, DESede and MD5. Change keytool to perform legacy algorithm constraint checking for its commands related to secret key entries. This enables keytool to generate warnings when it uses a weak secret key based algorithm or PBE algorithm.
Specification
Make the following changes to java.security property file:
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -638,8 +638,7 @@
SHA1 usage SignedJAR & denyAfter 2019-01-01
#
-# Legacy algorithms for certification path (CertPath) processing and
-# signed JAR files.
+# Legacy cryptographic algorithms and key lengths.
#
-# In some environments, a certain algorithm or key length may be undesirable
-# but is not yet disabled.
+# In some environments, a certain algorithm or key length may be undesirable.
@@ -655,7 +654,8 @@
# implementations.
jdk.security.legacyAlgorithms=SHA1, \
- RSA keySize < 2048, DSA keySize < 2048
+ RSA keySize < 2048, DSA keySize < 2048, \
+ DES, DESede, MD5
#
# Algorithm restrictions for signed JAR filesAttachments
Issue Links
- csr of
-
JDK-8255552 Add DES/3DES/MD5 to jdk.security.legacyAlgorithms
-
- Resolved
-