RFR 8076190: Customizing the generation of a PKCS12 keystore

Sean Mullan sean.mullan at oracle.com
Tue Oct 2 16:51:50 UTC 2018


On 10/1/18 8:02 PM, Weijun Wang wrote:
>
>
>> On Oct 2, 2018, at 2:49 AM, Sean Mullan <sean.mullan at oracle.com 
>> <mailto:sean.mullan at oracle.com>> wrote:
>>
>> Looks good. After you update the CSR with these changes, I can review it.
>
> Sure.
>
> How do you think of the following change? Shall I also add it?

Yes.
>
> *diff --git a/src/java.base/share/classes/java/security/KeyStore.java 
> b/src/java.base/share/classes/java/security/KeyStore.java*
> *--- a/src/java.base/share/classes/java/security/KeyStore.java*
> *+++ b/src/java.base/share/classes/java/security/KeyStore.java*
> @@ -318,7 +318,7 @@
>           * for a given keystore type is set using the
>           * {@code 'keystore.<type>.keyProtectionAlgorithm'} security 
> property.
>           * For example, the
> -         * {@code keystore.PKCS12.keyProtectionAlgorithm} property 
> stores the
> +         * {@code keystore.pkcs12.keyProtectionAlgorithm} property 
> stores the
>           * name of the default key protection algorithm used for PKCS12
>           * keystores. If the security property is not set, an
>           * implementation-specific algorithm will be used.
>
> Shall I add some word to this method saying we should use lowercase or 
> are we going to live with this lower+UPPER for every keystore type 
> forever?
No. Let's just continue to check in the code for both variants of the 
above property, but remove all references to the upper-case variant from 
the javadocs and java.security file.

--Sean
>
> If yes, there will also be some text for its compatibility risk.
>
> Thanks
> Max
>
>>
>> --Sean
>>
>> On 9/28/18 9:36 AM, Weijun Wang wrote:
>>> Webrev updated at
>>> http://cr.openjdk.java.net/~weijun/8076190/webrev.04/ 
>>> <http://cr.openjdk.java.net/%7Eweijun/8076190/webrev.04/>
>>> Major changes:
>>> 1. Comment out key=value lines in java.security
>>> 2. Fix a bug in PBES2Parameters.java
>>> 3. Test no longer depends on openssl. Instead, use openssl to 
>>> generate some pkcs12 files and included in the test.
>>> 4. A new test KeyProtAlgCompat.java to ensure compatibility on 
>>> pkcs12/PKCS12 names
>>> I haven't made any change to KeyStore.java yet. CSR is also not updated.
>>> Thanks
>>> Max
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181002/43ffe2f6/attachment.htm>


More information about the security-dev mailing list