[8u] request for review: 8062552 Support keystore type detection for JKS and PKCS12 keystores

Sean Mullan sean.mullan at oracle.com
Fri May 22 15:27:34 UTC 2015

Just a couple of other comments:

- Both JavaKeyStore and JavaKeyStore$DualFormatJKS can be 
package-private since they are only referenced from SunEntries which is 
in the same package. I would also move KeyStoreDelegator into 
sun.security.provider and make it package-private.

- Can you add a comment describing the contents of the trusted.pem cert 
in case we need to re-create it at some point in the future?

- In KeyStoreDelegator, I think most/all of the fields can be made final.


On 05/21/2015 11:44 AM, Vincent Ryan wrote:
> Please review this enhancement to JDK 8u that addresses a compatibility risk for certain applications that access
> keystores across JDK 8 and JDK 9 releases. The issue arises because the default keystore type is now PKCS12 in
> JDK 9 but is JKS in earlier releases. The problem can occur when a keystore is created on JDK 9 using the default
> keystore type but accessed on JDK 8 also using the default keystore type. This keystore type mismatch results in
> an error.
> The change introduces a keystore compatibility mode for JKS keystores where both JKS and PKCS12 file formats are
> understood. Similar behaviour is already present in JDK 9 (JEP-229). The keystore.type.compat security property
> controls whether the mode is enabled or not. By default it is enabled.
> This enhancement enables at risk applications to continue to function across JDK 8 and JDK 9 without requiring any
> application code changes.
> Thanks.
> Bug: https://bugs.openjdk.java.net/browse/JDK-8062552
> Webrev: http://cr.openjdk.java.net/~vinnie/8062552/webrev.01/

More information about the security-dev mailing list