Transitioning the default keystore format to PKCS#12
Vincent Ryan
vincent.x.ryan at oracle.com
Thu Nov 1 10:58:27 UTC 2012
I think storing secret keys, and passwords, is still important. We intend to add support for SecretKeyEntry to the
PKCS12 implementation but there are no plans to make changes to JCEKS.
On 1 Nov 2012, at 02:08, Weijun Wang wrote:
> A little off topic:
>
> Do we still care about the JCEKS storetype? Maybe no one stores secret keys in a keystore?
>
> Thanks
> Max
>
>
> On 11/01/2012 12:55 AM, Vincent Ryan wrote:
>>
>> Before considering migrating the platform default keystore format to PKCS12 its keystore implementation
>> must at least match the functionality of JKS.
>>
>> I have developed a prototype of a multi-format keystore that understands both JKS and PKCS12
>> formats - it checks for the JKS magic number to determine the format. By supporting both formats,
>> existing applications that access keystores using the platform default keystore format, continue to
>> function as expected.
>>
>> In addition, storing trusted certs in PKCS12 is now supported. I've selected the X.509
>> extendedKeyUsage attribute to explicitly denote that a certificate is trusted - its default value is
>> trusted-for-any-purpose. This well-known attribute is stored with the certificate in a PKCS12
>> certBag.
>>
>> Webrev:
>> http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/
>>
>> Please send me any comments.
>> Thanks.
>>
More information about the security-dev
mailing list