RFR [10]: 8194307: KeyStore#getInstance with custom LoadStoreParameter succeeds with invalid password

Sean Mullan sean.mullan at oracle.com
Thu Jan 18 13:01:54 UTC 2018

On 1/18/18 5:54 AM, Weijun Wang wrote:
> The code change looks fine to me.


> Do you mean that getInstance(File, LoadStoreParameter) should have never been invented because a static password should always be enough for a static file?

Yes. I think we should have added getInstance(File, ProtectionParameter) 
instead of getInstance(File, LoadStoreParameter) and that would have 
been more appropriate and sufficient, as it would have still allowed a 
user to use a CallbackHandler to provide a password, which can be useful.


> Thanks
> Max
>> On Jan 18, 2018, at 6:36 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>> Please review this tck-red bug that needs to be fixed in JDK 10.
>> bug: https://bugs.openjdk.java.net/browse/JDK-8194307
>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8194307/webrev.00/
>> The current fix is slightly limited in that it doesn't allow the LoadStoreParameter to be passed onto the underlying KeyStore, but that would require an additional API change (an overloaded KeyStore.load method that takes an InputStream and a LoadStoreParameter). Also, none of the existing JDK KeyStore file-based implementations support LoadStoreParameters, so this fix should be sufficient for now or until someone needs or requests that functionality.
>> Thanks,
>> Sean

More information about the security-dev mailing list