Transitioning the default keystore format to PKCS#12
Weijun Wang
weijun.wang at oracle.com
Thu Nov 1 02:08:28 UTC 2012
A little off topic:
Do we still care about the JCEKS storetype? Maybe no one stores secret
keys in a keystore?
Thanks
Max
On 11/01/2012 12:55 AM, Vincent Ryan wrote:
>
> Before considering migrating the platform default keystore format to PKCS12 its keystore implementation
> must at least match the functionality of JKS.
>
> I have developed a prototype of a multi-format keystore that understands both JKS and PKCS12
> formats - it checks for the JKS magic number to determine the format. By supporting both formats,
> existing applications that access keystores using the platform default keystore format, continue to
> function as expected.
>
> In addition, storing trusted certs in PKCS12 is now supported. I've selected the X.509
> extendedKeyUsage attribute to explicitly denote that a certificate is trusted - its default value is
> trusted-for-any-purpose. This well-known attribute is stored with the certificate in a PKCS12
> certBag.
>
> Webrev:
> http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/
>
> Please send me any comments.
> Thanks.
>
More information about the security-dev
mailing list