8212003: Deprecating the default keytool -keyalg option
Reviewed-by: mullan, xuelei
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java Fri Nov 16 19:27:21 2018 -0800
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java Sat Nov 17 18:11:23 2018 +0800
@@ -1123,12 +1123,16 @@
} else if (command == GENKEYPAIR) {
if (keyAlgName == null) {
keyAlgName = "DSA";
+ weakWarnings.add(String.format(rb.getString(
+ "keyalg.option.1.missing.warning"), keyAlgName));
}
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
kssave = true;
} else if (command == GENSECKEY) {
if (keyAlgName == null) {
keyAlgName = "DES";
+ weakWarnings.add(String.format(rb.getString(
+ "keyalg.option.1.missing.warning"), keyAlgName));
}
doGenSecretKey(alias, keyAlgName, keysize);
kssave = true;
@@ -1758,13 +1762,11 @@
keygen.init(keysize);
secKey = keygen.generateKey();
- if (verbose) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Generated.keysize.bit.keyAlgName.secret.key"));
- Object[] source = {keysize,
- secKey.getAlgorithm()};
- System.err.println(form.format(source));
- }
+ MessageFormat form = new MessageFormat(rb.getString
+ ("Generated.keysize.bit.keyAlgName.secret.key"));
+ Object[] source = {keysize,
+ secKey.getAlgorithm()};
+ System.err.println(form.format(source));
}
if (keyPass == null) {
@@ -1841,6 +1843,7 @@
// If DN is provided, parse it. Otherwise, prompt the user for it.
X500Name x500Name;
if (dname == null) {
+ printWeakWarnings(true);
x500Name = getX500Name();
} else {
x500Name = new X500Name(dname);
@@ -1866,16 +1869,14 @@
chain[0] = keypair.getSelfCertificate(
x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
- if (verbose) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
- Object[] source = {keysize,
- privKey.getAlgorithm(),
- chain[0].getSigAlgName(),
- validity,
- x500Name};
- System.err.println(form.format(source));
- }
+ MessageFormat form = new MessageFormat(rb.getString
+ ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
+ Object[] source = {keysize,
+ privKey.getAlgorithm(),
+ chain[0].getSigAlgName(),
+ validity,
+ x500Name};
+ System.err.println(form.format(source));
if (keyPass == null) {
keyPass = promptForKeyPass(alias, null, storePass);
--- a/src/java.base/share/classes/sun/security/tools/keytool/Resources.java Fri Nov 16 19:27:21 2018 -0800
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Resources.java Sat Nov 17 18:11:23 2018 +0800
@@ -481,6 +481,7 @@
{"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
{"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
{"importing.keystore.status", "Importing keystore %1$s to %2$s..."},
+ {"keyalg.option.1.missing.warning", "No -keyalg option. The default key algorithm (%s) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified."},
};
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/tools/keytool/DeprecateKeyalg.java Sat Nov 17 18:11:23 2018 +0800
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.process.OutputAnalyzer;
+
+/**
+ * @test
+ * @bug 8212003
+ * @summary Deprecating the default keytool -keyalg option
+ * @library /test/lib
+ */
+
+public class DeprecateKeyalg {
+
+ private static final String COMMON = "-keystore ks -storetype jceks "
+ + "-storepass changeit -keypass changeit";
+
+ public static void main(String[] args) throws Throwable {
+
+ kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
+ .shouldContain("Generating")
+ .shouldNotContain("-keyalg option must be specified");
+
+ kt("-genkeypair -alias b -dname CN=B")
+ .shouldContain("Generating")
+ .shouldContain("default key algorithm (DSA)")
+ .shouldContain("-keyalg option must be specified");
+
+ kt("-genseckey -keyalg DES -alias c")
+ .shouldContain("Generated")
+ .shouldNotContain("-keyalg option must be specified");
+
+ kt("-genseckey -alias d")
+ .shouldContain("Generated")
+ .shouldContain("default key algorithm (DES)")
+ .shouldContain("-keyalg option must be specified");
+ }
+
+ private static OutputAnalyzer kt(String cmd) throws Throwable {
+ return SecurityTools.keytool(COMMON + " " + cmd)
+ .shouldHaveExitValue(0);
+ }
+}
--- a/test/jdk/sun/security/tools/keytool/KeyToolTest.java Fri Nov 16 19:27:21 2018 -0800
+++ b/test/jdk/sun/security/tools/keytool/KeyToolTest.java Sat Nov 17 18:11:23 2018 +0800
@@ -638,12 +638,12 @@
"-genkeypair -alias p1 -dname CN=olala");
// when specify keypass, make sure keypass==storepass...
testOK("changeit\n", "-keystore x.p12 -keypass changeit " +
- "-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
+ "-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
assertTrue(err.indexOf("Warning") == -1,
"PKCS12 silent when keypass == storepass");
// otherwise, print a warning
testOK("changeit\n", "-keystore x.p12 -keypass another" +
- " -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
+ " -storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
assertTrue(err.indexOf("Warning") != -1,
"PKCS12 warning when keypass != storepass");
// no -keypasswd for PKCS12
@@ -663,12 +663,12 @@
"-genkeypair -alias p1 -dname CN=olala");
// when specify keypass, make sure keypass==storepass...
testOK("", "-storepass changeit -keystore x.p12 -keypass changeit " +
- "-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
+ "-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
assertTrue(err.indexOf("Warning") == -1,
"PKCS12 silent when keypass == storepass");
// otherwise, print a warning
testOK("", "-storepass changeit -keystore x.p12 -keypass another " +
- "-storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
+ "-storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
assertTrue(err.indexOf("Warning") != -1,
"PKCS12 warning when keypass != storepass");
--- a/test/jdk/sun/security/tools/keytool/WeakAlg.java Fri Nov 16 19:27:21 2018 -0800
+++ b/test/jdk/sun/security/tools/keytool/WeakAlg.java Sat Nov 17 18:11:23 2018 +0800
@@ -158,7 +158,7 @@
rm("ks");
rm("ks2");
- kt("-genkeypair -alias a -dname CN=A")
+ kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
.shouldNotContain("Warning:");
kt("-list")
.shouldNotContain("Warning:");