8353749: Improve security warning when using JKS or JCEKS keystores

src/java.base/share/classes/java/security/KeyStore.java

@@ -829,6 +829,19 @@ private String getProviderName() {
         return (provider == null) ? "(no provider)" : provider.getName();
     }
 
+    private static void outdatedKeyStoreLog(String type) {
+        if (type != null && kdebug != null &&
+                (type.equalsIgnoreCase("JKS") ||
+                type.equalsIgnoreCase("JCEKS"))) {
+            kdebug.println("WARNING: " + type.toUpperCase(Locale.ROOT) +
+                    " uses outdated cryptographic algorithm and" +
+                    " will be removed in a future release." +
+                    " Migrate to PKCS12 using:\n" +
+                    "keytool -importkeystore -srckeystore <keystore>" +
+                    " -destkeystore <keystore> -deststoretype pkcs12");
+        }
+    }
+
     /**
      * Returns a {@code KeyStore} object of the specified type.
      *
@@ -886,6 +899,7 @@ public static KeyStore getInstance(String type)
 
         try {
             Object[] objs = Security.getImpl(type, "KeyStore", (String)null);
+            outdatedKeyStoreLog(type);
             return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
         } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
             throw new KeyStoreException(type + " not found", e);
@@ -951,6 +965,7 @@ public static KeyStore getInstance(String type, String provider)
 
         try {
             Object[] objs = Security.getImpl(type, "KeyStore", provider);
+            outdatedKeyStoreLog(type);
             return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
         } catch (NoSuchAlgorithmException nsae) {
             throw new KeyStoreException(type + " not found", nsae);
@@ -1012,6 +1027,7 @@ public static KeyStore getInstance(String type, Provider provider)
 
         try {
             Object[] objs = Security.getImpl(type, "KeyStore", provider);
+            outdatedKeyStoreLog(type);
             return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
         } catch (NoSuchAlgorithmException nsae) {
             throw new KeyStoreException(type + " not found", nsae);
@@ -1891,6 +1907,8 @@ private static final KeyStore getInstance(File file, char[] password,
                     keystore.keyStoreSpi.engineLoad(dataStream, param);
                     keystore.initialized = true;
                 }
+
+                outdatedKeyStoreLog(keystore.getType());
                 return keystore;
             }
         }

src/java.base/share/classes/sun/security/tools/keytool/resources/keytool.properties

@@ -321,7 +321,8 @@ Unable.to.parse.denyAfter.string.in.exception.message=Unable to parse denyAfter
 whose.sigalg.weak=%1$s uses the %2$s signature algorithm which is considered a security risk.
 whose.key.disabled=%1$s uses a %2$s which is considered a security risk and is disabled.
 whose.key.weak=%1$s uses a %2$s which is considered a security risk. It will be disabled in a future update.
-jks.storetype.warning=The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12".
+jks.storetype.warning=%1$s uses outdated cryptographic algorithms and will be removed in a future release. Migrate to PKCS12 using:\n\
+keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12
 migrate.keystore.warning=Migrated "%1$s" to %4$s. The %2$s keystore is backed up as "%3$s".
 backup.keystore.warning=The original keystore "%1$s" is backed up as "%3$s"...
 importing.keystore.status=Importing keystore %1$s to %2$s...

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java

@@ -167,6 +167,7 @@ public ExitException(int errorCode) {
     char[] storepass; // keystore password
     boolean protectedPath; // protected authentication path
     String storetype; // keystore type
+    String realStoreType;
     String providerName; // provider name
     List<String> providers = null; // list of provider names
     List<String> providerClasses = null; // list of provider classes
@@ -240,6 +241,7 @@ public ExitException(int errorCode) {
     private boolean signerSelfSigned = false;
     private boolean allAliasesFound = true;
     private boolean hasMultipleManifests = false;
+    private boolean outdatedFormat = false;
 
     private Throwable chainNotValidatedReason = null;
     private Throwable tsaChainNotValidatedReason = null;
@@ -1482,6 +1484,12 @@ private void displayMessagesAndResult(boolean isSigning) {
             warnings.add(rb.getString("external.file.attributes.detected"));
         }
 
+        if (outdatedFormat) {
+            warnings.add(String.format(rb.getString(
+                    "outdated.storetype.warning"),
+                    realStoreType, keystore));
+        }
+
         if ((strict) && (!errors.isEmpty())) {
             result = isSigning
                     ? rb.getString("jar.signed.with.signer.errors.")
@@ -2400,6 +2408,16 @@ void loadKeyStore(String keyStoreName, boolean prompt) {
                         (rb.getString("Enter.Passphrase.for.keystore."));
             }
 
+            File storeFile = new File(keyStoreName);
+            if (storeFile.isFile()) {
+                KeyStore keyStore = KeyStore.getInstance(storeFile, storepass);
+                realStoreType = keyStore.getType();
+                if (realStoreType.equalsIgnoreCase("JKS")
+                        || realStoreType.equalsIgnoreCase("JCEKS")) {
+                    outdatedFormat = true;
+                }
+            }
+
             try {
                 if (nullStream) {
                     store.load(null, storepass);

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/resources/jarsigner.properties

@@ -222,3 +222,5 @@ entry.1.is.signed.in.jarinputstream.but.is.not.signed.in.jarfile=Entry %s is sig
 jar.contains.internal.inconsistencies.result.in.different.contents.via.jarfile.and.jarinputstream=This JAR file contains internal inconsistencies that may result in different contents when reading via JarFile and JarInputStream:
 signature.verification.failed.on.entry.1.when.reading.via.jarinputstream=Signature verification failed on entry %s when reading via JarInputStream
 signature.verification.failed.on.entry.1.when.reading.via.jarfile=Signature verification failed on entry %s when reading via JarFile
+outdated.storetype.warning=%1$s uses outdated cryptographic algorithms and will be removed in a future release. Migrate to PKCS12 using:\n\
+keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12

test/jdk/java/security/KeyStore/TestOutdatedKeyStore.java

@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.security.KeyStore;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Locale;
+
+/*
+ * @test
+ * @bug 8353749
+ * @summary Check warnings for JKS and JCEKS KeyStore
+ * @run main/othervm -Djava.security.debug=keystore TestOutdatedKeyStore
+ */
+
+public class TestOutdatedKeyStore {
+
+    private static final String[] KS_TYPES = {
+            "jks", "jceks"
+    };
+
+    private static final String KS_WARNING1 =
+            "uses outdated cryptographic algorithm and will be removed " +
+            "in a future release. Migrate to PKCS12 using:";
+
+    private static final String KS_WARNING2=
+            "keytool -importkeystore -srckeystore <keystore> " +
+            "-destkeystore <keystore> -deststoretype pkcs12";
+
+    public static void main(String[] args) throws Exception {
+        for (String type : KS_TYPES) {
+            testGetInstance1(type);
+            testGetInstance2(type);
+            testGetInstance3(type);
+            testGetInstance4(type);
+            testGetInstance5(type);
+        }
+        System.out.println("All tests completed.");
+    }
+
+    // Test getInstance(String type)
+    private static void testGetInstance1(String type) throws Exception {
+        System.out.println("Test getInstance(String type) with type: "
+                + type);
+        checkWarnings(type, () -> {
+            KeyStore ks = KeyStore.getInstance(type);
+        });
+    }
+
+    // Test getInstance(String type, String provider)
+    private static void testGetInstance2(String type) throws Exception {
+        System.out.println("Test getInstance(String type, String provider) with type: "
+                + type);
+        String provider = Security.getProviders("KeyStore." + type)[0].getName();
+        checkWarnings(type, () -> {
+            KeyStore ks = KeyStore.getInstance(type, provider);
+        });
+    }
+
+    // Test getInstance(String type, Provider provider)
+    private static void testGetInstance3(String type) throws Exception {
+        System.out.println("Test getInstance(String type, Provider provider) with type: "
+                + type);
+        Provider provider = Security.getProviders("KeyStore." + type)[0];
+        checkWarnings(type, () -> {
+            KeyStore ks = KeyStore.getInstance(type, provider);
+        });
+    }
+
+    // Test getInstance(File file, char[] password)
+    private static void testGetInstance4(String type) throws Exception {
+        System.out.println("Test getInstance(File file, char[] password) with type: "
+                + type);
+        File ksFile = createKeystore(type);
+        checkWarnings(type, () -> {
+            KeyStore ks = KeyStore.getInstance(ksFile, "changeit".toCharArray());
+        });
+    }
+
+    // Test getInstance(File file, LoadStoreParameter param)
+    private static void testGetInstance5(String type) throws Exception {
+        System.out.println("Test getInstance(File file, LoadStoreParameter param) with type: "
+                + type);
+        File ksFile = createKeystore(type);
+        KeyStore.LoadStoreParameter param = new KeyStore.LoadStoreParameter() {
+            @Override
+            public KeyStore.ProtectionParameter getProtectionParameter() {
+                return new KeyStore.PasswordProtection("changeit".toCharArray());
+            }
+        };
+        checkWarnings(type, () -> {
+            KeyStore ks = KeyStore.getInstance(ksFile, param);
+        });
+    }
+
+    private static File createKeystore(String type) throws Exception {
+        File ksFile = File.createTempFile("kstore", ".tmp");
+        ksFile.deleteOnExit();
+        KeyStore ks = KeyStore.getInstance(type);
+        ks.load(null, null);
+        try (FileOutputStream fos = new FileOutputStream(ksFile)) {
+            ks.store(fos, "changeit".toCharArray());
+        }
+        return ksFile;
+    }
+
+    private static void checkWarnings(String type, RunnableWithException r) throws Exception {
+        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        PrintStream origErr = System.err;
+        try {
+            System.setErr(new PrintStream(bOut));
+            r.run();
+        } finally {
+            System.setErr(origErr);
+        }
+
+        String msg = bOut.toString();
+        if (!msg.contains("WARNING: " + type.toUpperCase(Locale.ROOT)) ||
+                !msg.contains(KS_WARNING1) ||
+                !msg.contains(KS_WARNING2)) {
+            throw new RuntimeException("Expected warning not found for " + type + ":\n" + msg);
+        }
+    }
+
+    interface RunnableWithException {
+        void run() throws Exception;
+    }
+}

test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java

@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8217375 8260286 8267319
+ * @bug 8217375 8260286 8267319 8353749
  * @summary This test is used to verify the compatibility of jarsigner across
  *     different JDK releases. It also can be used to check jar signing (w/
  *     and w/o TSA) and to verify some specific signing and digest algorithms.
@@ -850,6 +850,9 @@ private static Status verifyingStatus(SignItem signItem, VerifyItem
             if (Test.CERTIFICATE_SELF_SIGNED.equals(line)) continue;
             if (Test.HAS_EXPIRED_CERT_VERIFYING_WARNING.equals(line)
                     && signItem.certInfo.expired) continue;
+
+            if (line.contains(Test.OUTDATED_KEYSTORE_WARNING1)) continue;
+            if (line.contains(Test.OUTDATED_KEYSTORE_WARNING2)) continue;
             System.out.println("verifyingStatus: unexpected line: " + line);
             return Status.ERROR; // treat unexpected warnings as error
         }

test/jdk/sun/security/tools/jarsigner/warnings/Test.java

@@ -151,6 +151,13 @@ public abstract class Test {
     static final String WEAK_KEY_WARNING
             = "will be disabled in a future update.";
 
+    static final String OUTDATED_KEYSTORE_WARNING1
+            = "uses outdated cryptographic algorithms and will be "
+            + "removed in a future release. Migrate to PKCS12 using:";
+
+    static final String OUTDATED_KEYSTORE_WARNING2
+            = "keytool -importkeystore -srckeystore";
+
     static final String JAR_SIGNED = "jar signed.";
 
     static final String JAR_VERIFIED = "jar verified.";

test/jdk/sun/security/tools/keytool/OutdatedKeyStoreWarning.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8353749
+ * @summary Validate that keytool and jarsigner emit warnings for
+ *         JKS and JCEKS keystore
+ * @library /test/lib
+ */
+
+import java.nio.file.Path;
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.util.JarUtils;
+
+public class OutdatedKeyStoreWarning {
+
+    public static void main(String[] args) throws Exception {
+        String[] ksTypes = {"JKS", "JCEKS"};
+
+        for (String type : ksTypes) {
+            String ksFile = type.toLowerCase() + ".ks";
+            String KS_WARNING = type + " uses outdated cryptographic algorithms and " +
+                    "will be removed in a future release. Migrate to PKCS12 using:";
+
+            SecurityTools.keytool(String.format(
+                    "-genkeypair -keystore %s -storetype %s -storepass changeit " +
+                    "-keypass changeit -keyalg ec -alias a1 -dname CN=me",
+                    ksFile, type.toLowerCase()))
+                    .shouldContain("Warning:")
+                    .shouldContain(KS_WARNING)
+                    .shouldMatch("keytool -importkeystore -srckeystore." +
+                            "*-destkeystore.*-deststoretype pkcs12")
+                    .shouldHaveExitValue(0);
+
+            JarUtils.createJarFile(Path.of("unsigned.jar"), Path.of("."),
+                    Path.of(ksFile));
+
+            SecurityTools.jarsigner(String.format(
+                    "-keystore %s -storetype %s -storepass changeit -signedjar signed.jar " +
+                    "unsigned.jar a1",
+                    ksFile, type.toLowerCase()))
+                    .shouldContain("Warning:")
+                    .shouldContain(KS_WARNING)
+                    .shouldMatch("keytool -importkeystore -srckeystore." +
+                            "*-destkeystore.*-deststoretype pkcs12")
+                    .shouldHaveExitValue(0);
+
+            SecurityTools.jarsigner(String.format(
+                    "-verify -keystore %s -storetype %s -storepass changeit signed.jar",
+                    ksFile, type.toLowerCase()))
+                    .shouldContain("Warning:")
+                    .shouldContain(KS_WARNING)
+                    .shouldMatch("keytool -importkeystore -srckeystore." +
+                            "*-destkeystore.*-deststoretype pkcs12")
+                    .shouldHaveExitValue(0);
+        }
+    }
+}