[9] request for review 8044445: Create PKCS12 Keystores by Default

Vincent Ryan vincent.x.ryan at oracle.com
Thu Dec 18 15:09:32 UTC 2014


The smallest content I could generate using keytool was 200 bytes: a 1-byte password.

0000000 3082011b 02010330 81d60609 2a864886
0000020 f70d0107 01a081c8 0481c530 81c23081
0000040 bf06092a 864886f7 0d010701 a081b104
0000060 81ae3081 ab3081a8 060b2a86 4886f70d
0000100 010c0a01 05a05930 57060b2a 864886f7
0000120 0d010c0a 0102a048 04463044 3028060a
0000140 2a864886 f70d010c 0103301a 04147856
0000160 a3689d4b e55469af fbfa2a41 d5d3ce1d
0000200 81360202 04000418 7867f3fc a91b9a1b
0000220 7b863cc5 7e89e11e db14739a e623462c
0000240 313e3019 06092a86 4886f70d 01091431
0000260 0c1e0a00 6d007900 6b006500 79302106
0000300 092a8648 86f70d01 09153114 04125469
0000320 6d652031 34313839 30383339 32363333
0000340 303d3021 30090605 2b0e0302 1a050004
0000360 144a9a2f f169cbdc 65e31b6e fd5d25a8
0000400 a7096207 55041433 c18e4ee1 0ee7fc7f
0000420 4e0177a3 f7248ac0 9484bd02 02040000
0000437


On 18 Dec 2014, at 14:59, Wang Weijun <weijun.wang at oracle.com> wrote:

> 
>> On Dec 18, 2014, at 22:12, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
>> 
>> Thanks for reviewing, Max.
>> 
>> 
>> On 18 Dec 2014, at 06:52, Wang Weijun <weijun.wang at oracle.com> wrote:
>> 
>>> 
>>>> On Dec 18, 2014, at 07:58, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
>>>> 
>>>> FYI I’ve updated the webrev to include the changes below:
>>>> http://cr.openjdk.java.net/~vinnie/8044445/webrev.05/
>>> 
>>> PKCS12KeyStore.PKCS12_HEADER_PATTERNS.
>>> 
>>> Is there a possibility for this?
>>> 
>>> 30 82 -- -- 02 01 03 30 81 -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 -- 04
>>> 
>>> That is to say, the length of ContentInfo is only slight smaller than 128. My understanding this is more likely than existing pattern #5 and #6.
>> 
>> In theory it may be possible but the smallest non-empty content that I could generate was about 200 bytes.
> 
> Oh, so #2 is reserved for an empty keystore. :-)
> 
>> Do you have an example?
> 
> No. I tried to store a DES key there but see "NoSuchAlgorithmException: unrecognized algorithm name: DES". Maybe DES is obsolete? What would be the size if another tool creates a DES key? Will it be small enough?
> 
> I use keytool to -genseckey an AES key, ContentInfo has size D0. A little bigger.
> 
>> KeyStore.getInstance(file,pass,param,hasP):
>>> 
>>> It seems if one engineProbe() returns true but loading fails you will try the next storetype. Right? If so, dataStream.reset() should be called.
>> 
>> No. If loading fails then an exception is thrown - no further storetypes are checked.
> 
> I see. I thought new KeyStore(impl, (Provider)objs[1], type) could throw some exception. That's where I called "loading".
> 
> --Max
> 
>> 
>> 
>>> 
>>> Thanks
>>> Max
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20141218/8f9d62fd/attachment-0001.html>


More information about the security-dev mailing list