[8u] RFR: 8076190: Customizing the generation of a PKCS12 keystore

Martin Balao mbalao at redhat.com
Tue Feb 8 15:12:34 UTC 2022


Hi Alexey,

Thanks for your new proposal.

On Tue, Feb 8, 2022 at 9:05 AM Alexey Bakhtin <alexey at azul.com> wrote:

> The changes are OK for me except of PKCS12 keystore provider.
> Right now PKCS12 Keystore is defined in the SunJSSE provider only (not
> SunJCE):
> *
> https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/7fcf35286d52/src/share/classes/sun/security/ssl/SunJSSE.java#l233
>

Yes, you are right in that it's not SunJCE but SunJSSE.

Just for the record, PKCS#12 keystores can be handled by SUN as part of the
dual-format support. SUN does not register its KeyStore services for the
algorithm "PKCS12" but for "JKS". My understanding is, thus, that Keytool
won't support the passwordless feature in those because 'storetype' (which
is used for KeyStore.getInstance(storetype,...)) is checked to be "PKCS12"
(case-insensitive).

I was thinking to add PKCS12 into the SUN provider similar to JDK11+  but
> it could affect custom providers with PKCS12 support ( PKCS12 keystore
> implementation could be changed because of high SUN provider priority)
>

I'd suggest no changes there for the same reason.


>
> Also I have updated sun/security/pkcs12/ParamsTest.java test to explicitly
> specify PKCS12 storetype for passwordless keystores.
> All sun/security/pkcs12 and sun/security/tools/keytool tests are passed
>

Thanks, but I still have the previous question regarding changes in the
assertions. In particular, 11u checks the following:

+        // -importkeystore prompts for srckeypass
+        SecurityTools.setResponse("changeit", "changeit");
+        keytool("-importkeystore -srckeystore ksnopass "
+                + "-destkeystore jks3 -deststorepass changeit")
+                .shouldContain("Enter key password for <a>")
+                .shouldContain("Enter key password for <b>")
+                .shouldContain("2 entries successfully imported");

Apparently, ".shouldContain("Enter key password for <a>")" and
".shouldContain("Enter key password for <b>")" were removed in 8u backport.
Why?

The same here:

+        // -importkeystore prompts for srckeypass for private keys
+        // and no prompt for certs
+        SecurityTools.setResponse("changeit", "changeit");
+        keytool("-importkeystore -srckeystore ksnopass2 "
+                + "-destkeystore jks5 -deststorepass changeit")
+                .shouldContain("Enter key password for <a>")
+                .shouldContain("Enter key password for <b>")
+                .shouldNotContain("Enter key password for <aa>")
+                .shouldNotContain("Enter key password for <bb>")
+                .shouldContain("4 entries successfully imported");

".shouldContain("Enter key password for <a>")" and ".shouldContain("Enter
key password for <b>")" were removed. Why?

Best,
Martin.-


More information about the jdk8u-dev mailing list