< prev index next >
src/share/classes/sun/security/tools/keytool/Main.java
Print this page
rev 14231 : 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Reviewed-by: mullan, xuelei, weijun
*** 48,58 ****
--- 48,60 ----
import java.security.cert.CertificateFactory;
import java.security.cert.CertStoreException;
import java.security.cert.CRL;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
+ import java.security.interfaces.ECKey;
import java.security.spec.AlgorithmParameterSpec;
+ import java.security.spec.ECParameterSpec;
import java.text.Collator;
import java.text.MessageFormat;
import java.util.*;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
*** 69,78 ****
--- 71,81 ----
import javax.security.auth.x500.X500Principal;
import java.util.Base64;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.util.KeyUtil;
+ import sun.security.util.NamedCurve;
import sun.security.util.ObjectIdentifier;
import sun.security.pkcs10.PKCS10;
import sun.security.pkcs10.PKCS10Attribute;
import sun.security.provider.X509Factory;
import sun.security.provider.certpath.CertStoreHelper;
*** 3087,3096 ****
--- 3090,3110 ----
} else {
return String.format(rb.getString("with.weak"), alg);
}
}
+ private String fullDisplayAlgName(Key key) {
+ String result = key.getAlgorithm();
+ if (key instanceof ECKey) {
+ ECParameterSpec paramSpec = ((ECKey) key).getParams();
+ if (paramSpec instanceof NamedCurve) {
+ result += " (" + paramSpec.toString().split(" ")[0] + ")";
+ }
+ }
+ return result;
+ }
+
private String withWeak(PublicKey key) {
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
return String.format(rb.getString("key.bit"),
KeyUtil.getKeySize(key), key.getAlgorithm());
} else {
*** 4377,4387 ****
if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
weakWarnings.add(String.format(
rb.getString("whose.key.risk"),
label,
String.format(rb.getString("key.bit"),
! KeyUtil.getKeySize(key), key.getAlgorithm())));
}
}
private void checkWeak(String label, Certificate[] certs)
throws KeyStoreException {
--- 4391,4401 ----
if (key != null && !DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
weakWarnings.add(String.format(
rb.getString("whose.key.risk"),
label,
String.format(rb.getString("key.bit"),
! KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
}
}
private void checkWeak(String label, Certificate[] certs)
throws KeyStoreException {
< prev index next >