[8u] RFR: 8076190: Customizing the generation of a PKCS12 keystore
Alexey Bakhtin
alexey at azul.com
Thu Feb 3 21:29:33 UTC 2022
Hi Martin,
The issue described in the [1] is related to HmacPBESHA256 support in the PKCS12KeyStore. This issue is not covered by the JDK-8245169 but fixed by another part of JDK-8076190
Should it be considered as a separate issue with new Bug Id ? or should we fix altogether as a
JDK-8076190 backport without password-less support ?
[1] - https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-December/014473.html
> On 3 Feb 2022, at 23:29, Alexey Bakhtin <alexey at azul.com> wrote:
>
> Hi Martin,
>
> Right now the password-less PKCS12 keystore feature is not critical for us. So, the fixes for the 8245169 would be OK for now.
> Thank you for discussion. I will prepare the patch for the JDK-8245169 and send it for review
>
> Thank you
> Alexey
>
>> On 3 Feb 2022, at 20:16, Martin Balao <mbalao at redhat.com> wrote:
>>
>> Hi Alexey,
>>
>> On Thu, Feb 3, 2022 at 10:38 AM Alexey Bakhtin <alexey at azul.com <mailto:alexey at azul.com>> wrote:
>> Yes, according to my investigations Oracle implemented password-less feature as part of JDK-8076190
>> So, we have behaviour difference between Oracle and OpenJDK implementation now.
>> I think the parity with Oracle is a good reason to backport all features of JDK-8076190 (not PBES2Parameters.java only)
>>
>> While we agree that Oracle parity is one of the inputs that we take into account when making these backports decisions, it shouldn't be the only one in my view. To put that into context, 8u is now an old release where more stability/backward-compatibility is expected and patches tend to divert more as we move forward. This particular case is an example of that. I asked about other reasons because we can weigh risk with, for example, a common use case and multiple users affected.
>>
>> Let me ask you 2 questions:
>>
>> 1) Would backporting only the parts related to 8245169 be a good compromise solution for you?
>>
>> 2) If not, are you willing to redesign the backport so it does not break compatibility in scenarios where SunJCE is disabled? I've not put thinking into alternatives but I'm open to review whatever you come up with.
>>
>> Thanks,
>> Martin.-
>>
>
More information about the jdk8u-dev
mailing list