[9] request for review 8044445: Create PKCS12 Keystores by Default

Vincent Ryan vincent.x.ryan at oracle.com
Tue Dec 2 11:23:41 UTC 2014


Please review the following enhancement to improve keystore security by creating PKCS12 keystores by default.
Previously, JKS keystores were created by default. PKCS12 has the advantage of supporting stronger crypto
and hashing algorithms. It is also an open, extensible format and supports associating arbitrary attributes with
keystore entries.

Webrev: http://cr.openjdk.java.net/~vinnie/8044445/webrev.00/
Bug: https://bugs.openjdk.java.net/browse/JDK-8044445


To assist with compatibility across JDK releases, both JKS and PKCS12 keystore implementations have been
extended to support both file formats. Applications that access keystores created by earlier releases should
require no code changes.

This changeset also includes a new convenience method for instantiating a file-based keystore: KeyStore.getInstance
- it takes a File argument. The specified file is probed by each supported keystore implementation to determine its
keystore type. KeyStoreSpi has been enhanced with a boolean engineProbe method to perform the actual probing.

Finally, to improve performance, the PKCS12 keystore implementation has been moved from the SunJSSE provider
to the SUN provider (as it appears earlier in the default list of installed JCE providers).




More information about the security-dev mailing list