6561126: keytool should use larger default keysize for keypairs
Reviewed-by: mullan
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java Wed Jul 22 16:40:39 2009 +0800
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java Wed Jul 22 16:41:14 2009 +0800
@@ -136,7 +136,7 @@
char[] keypass; // private key password
String sigfile; // name of .SF file
String sigalg; // name of signature algorithm
- String digestalg = "SHA1"; // name of digest algorithm
+ String digestalg = "SHA-256"; // name of digest algorithm
String signedjar; // output filename
String tsaUrl; // location of the Timestamping Authority
String tsaAlias; // alias for the Timestamping Authority's certificate
@@ -2205,7 +2205,7 @@
if (keyAlgorithm.equalsIgnoreCase("DSA"))
digestAlgorithm = "SHA1";
else if (keyAlgorithm.equalsIgnoreCase("RSA"))
- digestAlgorithm = "SHA1";
+ digestAlgorithm = "SHA256";
else {
throw new RuntimeException("private key is not a DSA or "
+ "RSA key");
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Wed Jul 22 16:40:39 2009 +0800
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Wed Jul 22 16:41:14 2009 +0800
@@ -1318,7 +1318,7 @@
if ("DSA".equalsIgnoreCase(keyAlgName)) {
return "SHA1WithDSA";
} else if ("RSA".equalsIgnoreCase(keyAlgName)) {
- return "SHA1WithRSA";
+ return "SHA256WithRSA";
} else if ("EC".equalsIgnoreCase(keyAlgName)) {
return "SHA1withECDSA";
} else {
@@ -1336,6 +1336,8 @@
if (keysize == -1) {
if ("EC".equalsIgnoreCase(keyAlgName)) {
keysize = 256;
+ } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+ keysize = 2048;
} else {
keysize = 1024;
}
@@ -2499,6 +2501,7 @@
cert.getNotAfter().toString(),
getCertFingerPrint("MD5", cert),
getCertFingerPrint("SHA1", cert),
+ getCertFingerPrint("SHA-256", cert),
cert.getSigAlgName(),
cert.getVersion()
};
--- a/jdk/src/share/classes/sun/security/util/Resources.java Wed Jul 22 16:40:39 2009 +0800
+++ b/jdk/src/share/classes/sun/security/util/Resources.java Wed Jul 22 16:41:14 2009 +0800
@@ -215,7 +215,7 @@
{"\t(RETURN if same as for <otherAlias>)",
"\t(RETURN if same as for <{0}>)"},
{"*PATTERN* printX509Cert",
- "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t MD5: {5}\n\t SHA1: {6}\n\t Signature algorithm name: {7}\n\t Version: {8}"},
+ "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t MD5: {5}\n\t SHA1: {6}\n\t SHA256: {7}\n\t Signature algorithm name: {8}\n\t Version: {9}"},
{"What is your first and last name?",
"What is your first and last name?"},
{"What is the name of your organizational unit?",
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/jarsigner/newsize7.sh Wed Jul 22 16:41:14 2009 +0800
@@ -0,0 +1,73 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6561126
+# @summary keytool should use larger default keysize for keypairs
+#
+# @run shell newsize7.sh
+
+# set a few environment variables so that the shell-script can run stand-alone
+# in the source directory
+if [ "${TESTSRC}" = "" ] ; then
+ TESTSRC="."
+fi
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVA_CMD=`which java`
+ TESTJAVA=`dirname $JAVA_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KSFILE=ns7.jks
+
+KT="${TESTJAVA}${FS}bin${FS}keytool -keystore ns7.jks -storepass changeit -keypass changeit"
+JAR="${TESTJAVA}${FS}bin${FS}jar"
+JS="${TESTJAVA}${FS}bin${FS}jarsigner -keystore ns7.jks -storepass changeit"
+
+rm ns7.*
+
+$KT -genkeypair -alias me -dname CN=Me
+
+touch ns7.txt
+$JAR cvf ns7.jar ns7.txt
+
+$JS ns7.jar me
+$JAR xvf ns7.jar
+
+grep SHA-256 META-INF/MANIFEST.MF || exit 1
+grep SHA-256 META-INF/ME.SF || exit 2
+
+#rm -rf META-INF
+
+exit 0
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/keytool/NewSize7.java Wed Jul 22 16:41:14 2009 +0800
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6561126
+ * @summary keytool should use larger default keysize for keypairs
+ */
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+import sun.security.tools.KeyTool;
+
+public class NewSize7 {
+ public static void main(String[] args) throws Exception {
+ String FILE = "newsize7-ks";
+ new File(FILE).delete();
+ KeyTool.main(("-debug -genkeypair -keystore " + FILE +
+ " -alias a -dname cn=c -storepass changeit" +
+ " -keypass changeit -keyalg rsa").split(" "));
+ KeyStore ks = KeyStore.getInstance("JKS");
+ ks.load(new FileInputStream(FILE), null);
+ new File(FILE).delete();
+ RSAPublicKey r = (RSAPublicKey)ks.getCertificate("a").getPublicKey();
+ if (r.getModulus().bitLength() != 2048) {
+ throw new Exception("Bad keysize");
+ }
+ X509Certificate x = (X509Certificate)ks.getCertificate("a");
+ if (!x.getSigAlgName().equals("SHA256withRSA")) {
+ throw new Exception("Bad sigalg");
+ }
+ }
+}