[8u] RFR: 8076190: Customizing the generation of a PKCS12 keystore

Alexey Bakhtin alexey at azul.com
Tue Feb 8 15:50:47 UTC 2022


Hi Martin,

Thank you for test findings.
These commands missed “-srcstoretype PKCS12” and were checked incorrectly.
I’ve added “-srcstoretype PKCS12” and reverted original assertions. Test passed.
Now all assertions in the 8u version are identical to the 11u version of the ParamsTest.java.
The only test difference is explicit specification of the src/dststoretype PKCS12

New webrev: https://cr.openjdk.java.net/~abakhtin/8076190_8u/webrev.v4/ <https://cr.openjdk.java.net/~abakhtin/8076190_8u/webrev.v4/>

Regards
Alexey

> On 8 Feb 2022, at 18:12, Martin Balao <mbalao at redhat.com> wrote:
> 
> Hi Alexey,
> 
> Thanks for your new proposal.
> 
> On Tue, Feb 8, 2022 at 9:05 AM Alexey Bakhtin <alexey at azul.com <mailto:alexey at azul.com>> wrote:
> The changes are OK for me except of PKCS12 keystore provider.
> Right now PKCS12 Keystore is defined in the SunJSSE provider only (not SunJCE):
> * https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/7fcf35286d52/src/share/classes/sun/security/ssl/SunJSSE.java#l233 <https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/7fcf35286d52/src/share/classes/sun/security/ssl/SunJSSE.java#l233>
> 
> Yes, you are right in that it's not SunJCE but SunJSSE.
> 
> Just for the record, PKCS#12 keystores can be handled by SUN as part of the dual-format support. SUN does not register its KeyStore services for the algorithm "PKCS12" but for "JKS". My understanding is, thus, that Keytool won't support the passwordless feature in those because 'storetype' (which is used for KeyStore.getInstance(storetype,...)) is checked to be "PKCS12" (case-insensitive).
> 
> I was thinking to add PKCS12 into the SUN provider similar to JDK11+  but it could affect custom providers with PKCS12 support ( PKCS12 keystore implementation could be changed because of high SUN provider priority)
> 
> I'd suggest no changes there for the same reason.
> 
> 
> Also I have updated sun/security/pkcs12/ParamsTest.java test to explicitly specify PKCS12 storetype for passwordless keystores.
> All sun/security/pkcs12 and sun/security/tools/keytool tests are passed
> 
> Thanks, but I still have the previous question regarding changes in the assertions. In particular, 11u checks the following:
> 
> +        // -importkeystore prompts for srckeypass
> +        SecurityTools.setResponse("changeit", "changeit");
> +        keytool("-importkeystore -srckeystore ksnopass "
> +                + "-destkeystore jks3 -deststorepass changeit")
> +                .shouldContain("Enter key password for <a>")
> +                .shouldContain("Enter key password for <b>")
> +                .shouldContain("2 entries successfully imported");
> 
> Apparently, ".shouldContain("Enter key password for <a>")" and ".shouldContain("Enter key password for <b>")" were removed in 8u backport. Why?
> 
> The same here:
> 
> +        // -importkeystore prompts for srckeypass for private keys
> +        // and no prompt for certs
> +        SecurityTools.setResponse("changeit", "changeit");
> +        keytool("-importkeystore -srckeystore ksnopass2 "
> +                + "-destkeystore jks5 -deststorepass changeit")
> +                .shouldContain("Enter key password for <a>")
> +                .shouldContain("Enter key password for <b>")
> +                .shouldNotContain("Enter key password for <aa>")
> +                .shouldNotContain("Enter key password for <bb>")
> +                .shouldContain("4 entries successfully imported");
> 
> ".shouldContain("Enter key password for <a>")" and ".shouldContain("Enter key password for <b>")" were removed. Why?
> 
> Best,
> Martin.-
> 



More information about the jdk8u-dev mailing list