[9] request for review 8044445: Create PKCS12 Keystores by Default

Vincent Ryan vincent.x.ryan at oracle.com
Thu Dec 18 16:01:52 UTC 2014 

On 18 Dec 2014, at 14:59, Wang Weijun <weijun.wang at oracle.com> wrote:

> 
>> On Dec 18, 2014, at 22:12, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
>> 
>> Thanks for reviewing, Max.
>> 
>> 
>> On 18 Dec 2014, at 06:52, Wang Weijun <weijun.wang at oracle.com> wrote:
>> 
>>> 
>>>> On Dec 18, 2014, at 07:58, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
>>>> 
>>>> FYI I’ve updated the webrev to include the changes below:
>>>> http://cr.openjdk.java.net/~vinnie/8044445/webrev.05/
>>> 
>>> PKCS12KeyStore.PKCS12_HEADER_PATTERNS.
>>> 
>>> Is there a possibility for this?
>>> 
>>> 30 82 -- -- 02 01 03 30 81 -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 -- 04
>>> 
>>> That is to say, the length of ContentInfo is only slight smaller than 128. My understanding this is more likely than existing pattern #5 and #6.
>> 
>> In theory it may be possible but the smallest non-empty content that I could generate was about 200 bytes.
> 
> Oh, so #2 is reserved for an empty keystore. :-)
> 
>> Do you have an example?
> 
> No. I tried to store a DES key there but see "NoSuchAlgorithmException: unrecognized algorithm name: DES". Maybe DES is obsolete? What would be the size if another tool creates a DES key? Will it be small enough?
> 
> I use keytool to -genseckey an AES key, ContentInfo has size D0. A little bigger.
> 
>> KeyStore.getInstance(file,pass,param,hasP):
>>> 
>>> It seems if one engineProbe() returns true but loading fails you will try the next storetype. Right? If so, dataStream.reset() should be called.
>> 
>> No. If loading fails then an exception is thrown - no further storetypes are checked.
> 
> I see. I thought new KeyStore(impl, (Provider)objs[1], type) could throw some exception. That's where I called "loading”.

I thought you were referring to keystore.load, which is called later.

However, you are right, it would be safer to move the reset call out of the try block and
beyond the 2 catch blocks so that probing can continue if the keystore cannot be instantiated.



> 
> --Max
> 
>> 
>> 
>>> 
>>> Thanks
>>> Max
>>> 
>> 
>

More information about the security-dev mailing list