changeset 52598:0379b618ec46

8212003: Deprecating the default keytool -keyalg option Reviewed-by: mullan, xuelei
author weijun
date Sat, 17 Nov 2018 18:11:23 +0800
parents 3cda8fed1524
children a2e22b1ee4a1
files src/java.base/share/classes/sun/security/tools/keytool/Main.java src/java.base/share/classes/sun/security/tools/keytool/Resources.java test/jdk/sun/security/tools/keytool/DeprecateKeyalg.java test/jdk/sun/security/tools/keytool/KeyToolTest.java test/jdk/sun/security/tools/keytool/WeakAlg.java
diffstat 5 files changed, 88 insertions(+), 22 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java	Fri Nov 16 19:27:21 2018 -0800
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java	Sat Nov 17 18:11:23 2018 +0800
@@ -1123,12 +1123,16 @@
         } else if (command == GENKEYPAIR) {
             if (keyAlgName == null) {
                 keyAlgName = "DSA";
+                weakWarnings.add(String.format(rb.getString(
+                        "keyalg.option.1.missing.warning"), keyAlgName));
             }
             doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
             kssave = true;
         } else if (command == GENSECKEY) {
             if (keyAlgName == null) {
                 keyAlgName = "DES";
+                weakWarnings.add(String.format(rb.getString(
+                        "keyalg.option.1.missing.warning"), keyAlgName));
             }
             doGenSecretKey(alias, keyAlgName, keysize);
             kssave = true;
@@ -1758,13 +1762,11 @@
             keygen.init(keysize);
             secKey = keygen.generateKey();
 
-            if (verbose) {
-                MessageFormat form = new MessageFormat(rb.getString
-                    ("Generated.keysize.bit.keyAlgName.secret.key"));
-                Object[] source = {keysize,
-                                    secKey.getAlgorithm()};
-                System.err.println(form.format(source));
-            }
+            MessageFormat form = new MessageFormat(rb.getString
+                ("Generated.keysize.bit.keyAlgName.secret.key"));
+            Object[] source = {keysize,
+                                secKey.getAlgorithm()};
+            System.err.println(form.format(source));
         }
 
         if (keyPass == null) {
@@ -1841,6 +1843,7 @@
         // If DN is provided, parse it. Otherwise, prompt the user for it.
         X500Name x500Name;
         if (dname == null) {
+            printWeakWarnings(true);
             x500Name = getX500Name();
         } else {
             x500Name = new X500Name(dname);
@@ -1866,16 +1869,14 @@
         chain[0] = keypair.getSelfCertificate(
                 x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
 
-        if (verbose) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
-            Object[] source = {keysize,
-                                privKey.getAlgorithm(),
-                                chain[0].getSigAlgName(),
-                                validity,
-                                x500Name};
-            System.err.println(form.format(source));
-        }
+        MessageFormat form = new MessageFormat(rb.getString
+            ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
+        Object[] source = {keysize,
+                            privKey.getAlgorithm(),
+                            chain[0].getSigAlgName(),
+                            validity,
+                            x500Name};
+        System.err.println(form.format(source));
 
         if (keyPass == null) {
             keyPass = promptForKeyPass(alias, null, storePass);
--- a/src/java.base/share/classes/sun/security/tools/keytool/Resources.java	Fri Nov 16 19:27:21 2018 -0800
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Resources.java	Sat Nov 17 18:11:23 2018 +0800
@@ -481,6 +481,7 @@
         {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
         {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
         {"importing.keystore.status", "Importing keystore %1$s to %2$s..."},
+        {"keyalg.option.1.missing.warning", "No -keyalg option. The default key algorithm (%s) is a legacy algorithm and is no longer recommended. In a subsequent release of the JDK, the default will be removed and the -keyalg option must be specified."},
     };
 
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/tools/keytool/DeprecateKeyalg.java	Sat Nov 17 18:11:23 2018 +0800
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.process.OutputAnalyzer;
+
+/**
+ * @test
+ * @bug 8212003
+ * @summary Deprecating the default keytool -keyalg option
+ * @library /test/lib
+ */
+
+public class DeprecateKeyalg {
+
+    private static final String COMMON = "-keystore ks -storetype jceks "
+            + "-storepass changeit -keypass changeit";
+
+    public static void main(String[] args) throws Throwable {
+
+        kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
+                .shouldContain("Generating")
+                .shouldNotContain("-keyalg option must be specified");
+
+        kt("-genkeypair -alias b -dname CN=B")
+                .shouldContain("Generating")
+                .shouldContain("default key algorithm (DSA)")
+                .shouldContain("-keyalg option must be specified");
+
+        kt("-genseckey -keyalg DES -alias c")
+                .shouldContain("Generated")
+                .shouldNotContain("-keyalg option must be specified");
+
+        kt("-genseckey -alias d")
+                .shouldContain("Generated")
+                .shouldContain("default key algorithm (DES)")
+                .shouldContain("-keyalg option must be specified");
+    }
+
+    private static OutputAnalyzer kt(String cmd) throws Throwable {
+        return SecurityTools.keytool(COMMON + " " + cmd)
+                .shouldHaveExitValue(0);
+    }
+}
--- a/test/jdk/sun/security/tools/keytool/KeyToolTest.java	Fri Nov 16 19:27:21 2018 -0800
+++ b/test/jdk/sun/security/tools/keytool/KeyToolTest.java	Sat Nov 17 18:11:23 2018 +0800
@@ -638,12 +638,12 @@
                 "-genkeypair -alias p1 -dname CN=olala");
         // when specify keypass, make sure keypass==storepass...
         testOK("changeit\n", "-keystore x.p12 -keypass changeit " +
-                "-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
+                "-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
         assertTrue(err.indexOf("Warning") == -1,
                 "PKCS12 silent when keypass == storepass");
         // otherwise, print a warning
         testOK("changeit\n", "-keystore x.p12 -keypass another" +
-                " -storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
+                " -storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
         assertTrue(err.indexOf("Warning") != -1,
                 "PKCS12 warning when keypass != storepass");
         // no -keypasswd for PKCS12
@@ -663,12 +663,12 @@
                 "-genkeypair -alias p1 -dname CN=olala");
         // when specify keypass, make sure keypass==storepass...
         testOK("", "-storepass changeit -keystore x.p12 -keypass changeit " +
-                "-storetype PKCS12 -genkeypair -alias p3 -dname CN=olala");
+                "-storetype PKCS12 -genkeypair -keyalg DSA -alias p3 -dname CN=olala");
         assertTrue(err.indexOf("Warning") == -1,
                 "PKCS12 silent when keypass == storepass");
         // otherwise, print a warning
         testOK("", "-storepass changeit -keystore x.p12 -keypass another " +
-                "-storetype PKCS12 -genkeypair -alias p2 -dname CN=olala");
+                "-storetype PKCS12 -genkeypair -keyalg DSA -alias p2 -dname CN=olala");
         assertTrue(err.indexOf("Warning") != -1,
                 "PKCS12 warning when keypass != storepass");
 
--- a/test/jdk/sun/security/tools/keytool/WeakAlg.java	Fri Nov 16 19:27:21 2018 -0800
+++ b/test/jdk/sun/security/tools/keytool/WeakAlg.java	Sat Nov 17 18:11:23 2018 +0800
@@ -158,7 +158,7 @@
         rm("ks");
         rm("ks2");
 
-        kt("-genkeypair -alias a -dname CN=A")
+        kt("-genkeypair -keyalg DSA -alias a -dname CN=A")
                 .shouldNotContain("Warning:");
         kt("-list")
                 .shouldNotContain("Warning:");