Transitioning the default keystore format to PKCS#12
Vincent Ryan
vincent.x.ryan at oracle.com
Wed Oct 31 16:55:00 UTC 2012
Before considering migrating the platform default keystore format to PKCS12 its keystore implementation
must at least match the functionality of JKS.
I have developed a prototype of a multi-format keystore that understands both JKS and PKCS12
formats - it checks for the JKS magic number to determine the format. By supporting both formats,
existing applications that access keystores using the platform default keystore format, continue to
function as expected.
In addition, storing trusted certs in PKCS12 is now supported. I've selected the X.509
extendedKeyUsage attribute to explicitly denote that a certificate is trusted - its default value is
trusted-for-any-purpose. This well-known attribute is stored with the certificate in a PKCS12
certBag.
Webrev:
http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/
Please send me any comments.
Thanks.
More information about the security-dev
mailing list