Transitioning the default keystore format to PKCS#12

Weijun Wang weijun.wang at oracle.com
Wed Oct 31 19:08:28 PDT 2012


A little off topic:

Do we still care about the JCEKS storetype? Maybe no one stores secret 
keys in a keystore?

Thanks
Max


On 11/01/2012 12:55 AM, Vincent Ryan wrote:
>
> Before considering migrating the platform default keystore format to PKCS12 its keystore implementation
> must at least match the functionality of JKS.
>
> I have developed a prototype of a multi-format keystore that understands both JKS and PKCS12
> formats - it checks for the JKS magic number to determine the format. By supporting both formats,
> existing applications that access keystores using the platform default keystore format, continue to
> function as expected.
>
> In addition, storing trusted certs in PKCS12 is now supported. I've selected the X.509
> extendedKeyUsage attribute to explicitly denote that a certificate is trusted - its default value is
> trusted-for-any-purpose. This well-known attribute is stored with the certificate in a PKCS12
> certBag.
>
> Webrev:
>    http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/
>
> Please send me any comments.
> Thanks.
>



More information about the security-dev mailing list