[8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms
Vincent Ryan
vincent.x.ryan at oracle.com
Sat Jan 19 12:24:00 UTC 2013
On 19/01/2013 09:43, Weijun Wang wrote:
> Also, although we haven't standardized the keystore types, there is
> still a possibility that different providers using the same storetype
> name. How can we ensure everyone honoring the security property?
>
If another JCE provider uses the same keystore type name for their
implementation as an existing keystore type name then the same default
entry protection algorithm would apply to both. I don't think that's
a problem.
If it became an issue then we could consider making the security
property multi-valued and rely on ordering to distinguish been keystore
implementations that employ the same keystore type.
> Max
>
> On Jan 19, 2013, at 17:28, Weijun Wang <weijun.wang at oracle.com
> <mailto:weijun.wang at oracle.com>> wrote:
>
>>
>>
>> + /**
>> + * Gets the name of the protection algorithm.
>> + * If none was set then the default algorithm name is returned.
>> + * The default algorithm name for a given keystore type is set using the
>> + * {@code 'keystore.<type>.entryProtectionAlgorithm'} Security property.
>> + * For example, the
>> + * {@code keystore.PKCS12.entryProtectionAlgorithm} property stores the
>> + * name of the default entry protection algorithm used for PKCS12
>> + * keystores.
>> + *
>> I didn't see the security property used in the pkcs12 codes.
>>
Right. I need to update the keystore code to support that.
Thanks.
>> -Max
>> On Jan 19, 2013, at 3:53, Vincent Ryan <vincent.x.ryan at oracle.com
>> <mailto:vincent.x.ryan at oracle.com>> wrote:
>>
>>> Hello,
>>>
>>> Please review the fix for 8006591. It introduces a mechanism to enable
>>> stronger PBE algorithms to be specified when encrypting a keystore entry.
>>> This allows developers to make use of the new PBE algorithms delivered in
>>> JEP-121. Note however that PKCS12 is currently the only keystore that
>>> supports this new feature.
>>>
>>> It is a component of the JEP-166 delivery.
>>>
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8006591/webrev.00/
>>>
>>> Thanks.
More information about the security-dev
mailing list