[9] request for review 8044445: Create PKCS12 Keystores by Default
Vincent Ryan
vincent.x.ryan at oracle.com
Tue Dec 2 11:23:41 UTC 2014
Please review the following enhancement to improve keystore security by creating PKCS12 keystores by default.
Previously, JKS keystores were created by default. PKCS12 has the advantage of supporting stronger crypto
and hashing algorithms. It is also an open, extensible format and supports associating arbitrary attributes with
keystore entries.
Webrev: http://cr.openjdk.java.net/~vinnie/8044445/webrev.00/
Bug: https://bugs.openjdk.java.net/browse/JDK-8044445
To assist with compatibility across JDK releases, both JKS and PKCS12 keystore implementations have been
extended to support both file formats. Applications that access keystores created by earlier releases should
require no code changes.
This changeset also includes a new convenience method for instantiating a file-based keystore: KeyStore.getInstance
- it takes a File argument. The specified file is probed by each supported keystore implementation to determine its
keystore type. KeyStoreSpi has been enhanced with a boolean engineProbe method to perform the actual probing.
Finally, to improve performance, the PKCS12 keystore implementation has been moved from the SunJSSE provider
to the SUN provider (as it appears earlier in the default list of installed JCE providers).
More information about the security-dev
mailing list