On Mon, 6 Oct 2025 12:27:08 GMT, Sean Mullan <[email protected]> wrote:
>> This PR improves security warning when using JKS or JCEKS keystores.
>
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 244:
>
>> 242: private boolean allAliasesFound = true;
>> 243: private boolean hasMultipleManifests = false;
>> 244: private boolean outdatedFormat = false;
>
> Suggest calling this variable "weakKeyStore".
Done.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line
> 2419:
>
>> 2417: outdatedFormat = true;
>> 2418: }
>> 2419: }
>
> I don't think you need the `realStoreType` field. If you move this check to
> the end of the `else` block starting on line 2424 (which means the keystore
> is a file), and just check the `KeyStore.type()` I think it should be
> sufficient, ex:
>
>
> if (store.getType().equalsIgnoreCase("JKS")
> || store.getType().equalsIgnoreCase("JCEKS")) {
> weakKeyStore = true;
> }
Done.
> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties
> line 225:
>
>> 223:
>> signature.verification.failed.on.entry.1.when.reading.via.jarinputstream=Signature
>> verification failed on entry %s when reading via JarInputStream
>> 224:
>> signature.verification.failed.on.entry.1.when.reading.via.jarfile=Signature
>> verification failed on entry %s when reading via JarFile
>> 225: outdated.storetype.warning=%1$s uses outdated cryptographic algorithms
>> and will be removed in a future release. Migrate to PKCS12 using:\n\
>
> Call this "jks.storetype.warning" so it is consistent with
> `keytool.properties`.
Done.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2418702964
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2418703223
PR Review Comment: https://git.openjdk.org/jdk/pull/27624#discussion_r2418702879
