[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option

Wang Weijun weijun.wang at oracle.com
Sat Oct 11 00:47:10 UTC 2014


On Oct 11, 2014, at 0:24, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:

>> 
>> BTW, I see that DomainKeyStore#load(stream,pass) is designed to load a keystore of JKS (or another default storetype). Why didn't we load a DKS config file (with common passwords or all null)?
> 
> The DKS implementation supports the common use case of loading a single keystore from a file to aid compatibility with existing
> keystore applications and existing keystores.

Who would want such compatibility when the keystore was created with KeyStore.getInstance("DKS")? It makes some sense if DKS is the future default store type, but I thought it's PKCS12.

> 
> Although I can also see the advantage of supporting a DKS configuration file via that load method. Maybe the implementation
> should support both?

I would like to see that, and maybe it's even better to support loading a DKS with multiple passwords. How we would handle this bug (8059818) is TBD, but JSSE already has "javax.net.ssl.trustStore", "javax.net.ssl.trustStoreType" and "javax.net.ssl.trustStorePassword". It will be nice if a DKS keystore can be used there.

--Max



More information about the security-dev mailing list