[8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms

Vincent Ryan vincent.x.ryan at oracle.com
Sat Jan 19 12:24:00 UTC 2013 

On 19/01/2013 09:43, Weijun Wang wrote:
> Also, although we haven't standardized the keystore types, there is
> still a possibility that different providers using the same storetype
> name. How can we ensure everyone honoring the security property?
>

If another JCE provider uses the same keystore type name for their
implementation as an existing keystore type name then the same default
entry protection algorithm would apply to both. I don't think that's
a problem.

If it became an issue then we could consider making the security
property multi-valued and rely on ordering to distinguish been keystore
implementations that employ the same keystore type.


> Max
>
> On Jan 19, 2013, at 17:28, Weijun Wang <weijun.wang at oracle.com
> <mailto:weijun.wang at oracle.com>> wrote:
>
>>
>>
>> +        /**
>> +         * Gets the name of the protection algorithm.
>> +         * If none was set then the default algorithm name is returned.
>> +         * The default algorithm name for a given keystore type is set using the
>> +         * {@code 'keystore.<type>.entryProtectionAlgorithm'} Security property.
>> +         * For example, the
>> +         * {@code keystore.PKCS12.entryProtectionAlgorithm} property stores the
>> +         * name of the default entry protection algorithm used for PKCS12
>> +         * keystores.
>> +         *
>> I didn't see the security property used in the pkcs12 codes.
>>

Right. I need to update the keystore code to support that.
Thanks.


>> -Max
>> On Jan 19, 2013, at 3:53, Vincent Ryan <vincent.x.ryan at oracle.com
>> <mailto:vincent.x.ryan at oracle.com>> wrote:
>>
>>> Hello,
>>>
>>> Please review the fix for 8006591. It introduces a mechanism to enable
>>> stronger PBE algorithms to be specified when encrypting a keystore entry.
>>> This allows developers to make use of the new PBE algorithms delivered in
>>> JEP-121. Note however that PKCS12 is currently the only keystore that
>>> supports this new feature.
>>>
>>> It is a component of the JEP-166 delivery.
>>>
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8006591/webrev.00/
>>>
>>> Thanks.

More information about the security-dev mailing list