[8u] RFR: 8076190: Customizing the generation of a PKCS12 keystore
Martin Balao
mbalao at redhat.com
Sat Feb 5 02:27:59 UTC 2022
Hi Alexey,
On Thu, Feb 3, 2022 at 4:29 PM Alexey Bakhtin <alexey at azul.com> wrote:
> The issue described in the [1] is related to HmacPBESHA256 support in the
> PKCS12KeyStore. This issue is not covered by the JDK-8245169 but fixed by
> another part of JDK-8076190
> Should it be considered as a separate issue with new Bug Id ? or should we
> fix altogether as a
> JDK-8076190 backport without password-less support ?
>
> [1] -
> https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-December/014473.html
Hmm... The HmacPBESHA* part means introducing
'keystore.pkcs12.macAlgorithm' which can be, eventually, 'NONE'. If the
user invokes Keytool with 'storetype' equals to 'pkcs12',
'keystore.pkcs12.macAlgorithm=NONE' and SunJCE is handling that, it should
be fine to generate a new keystore without a Mac. Same for certificates and
keys probably. It looks to me that the real backward-compatibility breaker
is changing the 'storetype' based on the file, not the whole passwordless
thing. Perhaps we can skip those parts causing trouble and move forward
with the rest of it. I'll have a look again next week.
I suggest keeping this backport under 8076190.
Martin.-
More information about the jdk8u-dev
mailing list