[8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms
Weijun Wang
weijun.wang at oracle.com
Sat Jan 19 13:07:01 UTC 2013
On Jan 19, 2013, at 20:24, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
>
> On 19/01/2013 09:43, Weijun Wang wrote:
>> Also, although we haven't standardized the keystore types, there is
>> still a possibility that different providers using the same storetype
>> name. How can we ensure everyone honoring the security property?
>>
>
> If another JCE provider uses the same keystore type name for their
> implementation as an existing keystore type name then the same default
> entry protection algorithm would apply to both. I don't think that's
> a problem.
>
> If it became an issue then we could consider making the security
> property multi-valued and rely on ordering to distinguish been keystore
> implementations that employ the same keystore type.
>
>
>> Max
>>
>> On Jan 19, 2013, at 17:28, Weijun Wang <weijun.wang at oracle.com
>> <mailto:weijun.wang at oracle.com>> wrote:
>>
>>>
>>>
>>> + /**
>>> + * Gets the name of the protection algorithm.
>>> + * If none was set then the default algorithm name is returned.
>>> + * The default algorithm name for a given keystore type is set using the
>>> + * {@code 'keystore.<type>.entryProtectionAlgorithm'} Security property.
>>> + * For example, the
>>> + * {@code keystore.PKCS12.entryProtectionAlgorithm} property stores the
>>> + * name of the default entry protection algorithm used for PKCS12
>>> + * keystores.
>>> + *
>>> I didn't see the security property used in the pkcs12 codes.
>>>
>
> Right. I need to update the keystore code to support that.
And probably also the description and example line to java.security file.
Max
> Thanks.
>
>
>>> -Max
>>> On Jan 19, 2013, at 3:53, Vincent Ryan <vincent.x.ryan at oracle.com
>>> <mailto:vincent.x.ryan at oracle.com>> wrote:
>>>
>>>> Hello,
>>>>
>>>> Please review the fix for 8006591. It introduces a mechanism to enable
>>>> stronger PBE algorithms to be specified when encrypting a keystore entry.
>>>> This allows developers to make use of the new PBE algorithms delivered in
>>>> JEP-121. Note however that PKCS12 is currently the only keystore that
>>>> supports this new feature.
>>>>
>>>> It is a component of the JEP-166 delivery.
>>>>
>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8006591/webrev.00/
>>>>
>>>> Thanks.
>
More information about the security-dev
mailing list