RFR 8076190: Customizing the generation of a PKCS12 keystore
Weijun Wang
weijun.wang at oracle.com
Tue Oct 9 01:55:32 UTC 2018
The PKCS12KeyStore implementation only stores the decrypted certificate, but the major reason is that we want a password-less keystore to remain password-less without any property setting, so the newly added certificate must be stored the same way as the last existing certificate, and I think it's clearer to just use the same algorithm for all entries.
Also, there is only one password for all the certificates and if they are using different PBE algorithms an attacker can break the weakest one and then use the password to decrypt those encrypted with stronger ones.
--Max
> On Oct 9, 2018, at 1:39 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> On 10/8/18 11:26 AM, Weijun Wang wrote:
>> CSR updated. Please take a review.
>> https://bugs.openjdk.java.net/browse/JDK-8202590
>
> # ... If there
> # is at least one certificate in the existing keystore, the algorithm and
> # parameter used to encrypt the last certificate in the existing keystore will
> # be reused to encrypt all certificates while storing. If the last certificate
> # in the existing keystore is not encrypted, all certificates will be stored
> # unencrypted.
>
> Can you remind me why you can't store the certificates using the same encryption algorithms that were previously used?
More information about the security-dev
mailing list