[8u] RFR: 8076190: Customizing the generation of a PKCS12 keystore

Martin Balao mbalao at redhat.com
Tue Aug 24 14:50:02 UTC 2021 

On Tue, Aug 24, 2021 at 9:57 AM Martin Balao <mbalao at redhat.com> wrote:
>   * In my view, there are 2 paths:
>     * If there is an existing file-based stream and it's PKCS#12, we
> need to determine if it's password-less based on the actual bytes
>     * If it's a new keystore of PKCS#12 type, we determine
> password-less through 'keystore.pkcs12.certProtectionAlgorithm' and
> 'keystore.pkcs12.macAlgorithm' property values
>     * JDK-8 does not split the new/existing paths in the same way that
> JDK-11 does: code is mostly shared between the two. I'd try to align
> the backport as much as possible to the original structure, and keep
> changes to a minimum. That is: only split the path to determine
> password-less status for PKCS#12 keystores and nothing else. Once we
> know it's 'pkcs12' (based on 'storetype' value, either passed by
> parameter or obtained from KeyStore::getDefaultType), we need to hook
> a point that lets us decide if it's a new keystore or an existing one.
> If it's an existing keystore we then use
> PKCS12KeyStore::isPasswordless (possibly handling the exception). If
> it's an existing one, we use 'keystore.pkcs12.certProtectionAlgorithm'
> and 'keystore.pkcs12.macAlgorithm' properties. Please note that the
> previous conditions can be swapped: check new/existing first and
> PKCS#12 then.

I'm thinking about something along these lines:

diff -r b7aeec2b20fa src/share/classes/sun/security/tools/keytool/Main.java
--- a/src/share/classes/sun/security/tools/keytool/Main.java    Tue
Jul 20 18:10:21 2021 +0100
+++ b/src/share/classes/sun/security/tools/keytool/Main.java    Tue
Aug 24 10:46:23 2021 -0400
@@ -805,6 +805,27 @@
             keyStore = KeyStore.getInstance(storetype, providerName);
         }

+        if (storetype.equalsIgnoreCase("pkcs12")) {
+            if (ksStream != null) {
+                // existing file-based keystore
+                try {
+                    isPasswordlessKeyStore =
PKCS12KeyStore.isPasswordless(ksfile);
+                } catch (IOException ioe) {
+                    // It might not be a 'pkcs12' file-based
keystore. There could be
+                    // a missmatch between what the user passed to
Keytool (either
+                    // as a 'storetype' arg or as a 'keystore.type'
security property)
+                    // and the actual keystore file.
+                }
+            } else {
+                // new keystore
+                isPasswordlessKeyStore =
+
"NONE".equals(SecurityProperties.privilegedGetOverridable(
+                                "keystore.pkcs12.certProtectionAlgorithm"))
+                        &&
"NONE".equals(SecurityProperties.privilegedGetOverridable(
+                                "keystore.pkcs12.macAlgorithm"));
+            }
+        }
+
         /*
          * Load the keystore data.
          *

NOTE: I've not tested (or even compiled) the code snippet above. It's
just to better illustrate what I have in my mind. Please have a look
at it and let me know what you think.

More information about the jdk8u-dev mailing list