[8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms

Weijun Wang weijun.wang at oracle.com
Sat Jan 19 13:07:01 UTC 2013



On Jan 19, 2013, at 20:24, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:

> 
> On 19/01/2013 09:43, Weijun Wang wrote:
>> Also, although we haven't standardized the keystore types, there is
>> still a possibility that different providers using the same storetype
>> name. How can we ensure everyone honoring the security property?
>> 
> 
> If another JCE provider uses the same keystore type name for their
> implementation as an existing keystore type name then the same default
> entry protection algorithm would apply to both. I don't think that's
> a problem.
> 
> If it became an issue then we could consider making the security
> property multi-valued and rely on ordering to distinguish been keystore
> implementations that employ the same keystore type.
> 
> 
>> Max
>> 
>> On Jan 19, 2013, at 17:28, Weijun Wang <weijun.wang at oracle.com
>> <mailto:weijun.wang at oracle.com>> wrote:
>> 
>>> 
>>> 
>>> +        /**
>>> +         * Gets the name of the protection algorithm.
>>> +         * If none was set then the default algorithm name is returned.
>>> +         * The default algorithm name for a given keystore type is set using the
>>> +         * {@code 'keystore.<type>.entryProtectionAlgorithm'} Security property.
>>> +         * For example, the
>>> +         * {@code keystore.PKCS12.entryProtectionAlgorithm} property stores the
>>> +         * name of the default entry protection algorithm used for PKCS12
>>> +         * keystores.
>>> +         *
>>> I didn't see the security property used in the pkcs12 codes.
>>> 
> 
> Right. I need to update the keystore code to support that.

And probably also the description and example line to java.security file.

Max

> Thanks.
> 
> 
>>> -Max
>>> On Jan 19, 2013, at 3:53, Vincent Ryan <vincent.x.ryan at oracle.com
>>> <mailto:vincent.x.ryan at oracle.com>> wrote:
>>> 
>>>> Hello,
>>>> 
>>>> Please review the fix for 8006591. It introduces a mechanism to enable
>>>> stronger PBE algorithms to be specified when encrypting a keystore entry.
>>>> This allows developers to make use of the new PBE algorithms delivered in
>>>> JEP-121. Note however that PKCS12 is currently the only keystore that
>>>> supports this new feature.
>>>> 
>>>> It is a component of the JEP-166 delivery.
>>>> 
>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8006591/webrev.00/
>>>> 
>>>> Thanks.
> 



More information about the security-dev mailing list