RFR 8076190: Support passwordless access to PKCS12 keystores
Sean Mullan
sean.mullan at oracle.com
Fri Sep 21 18:49:12 UTC 2018
Still reviewing but here are some initial comments.
It seems this is more than a fix for JDK-8076190. It also adds
configuration properties for the PKCS12 algorithms. I think you should
expand the scope/description of the issue to include that.
* HmacPKCS12PBECore.java
The class description should be updated to PKCS #12 v1.1 and list the
new algorithms that you added.
* java.security
Change "PKCS 12" to "PKCS12" to match the standard name.
These properties are also for existing keystores so I would change the
first sentence to mention that, ex:
"... during the creation of a new keystore or modification of an
existing keystore."
The default alg values seem somewhat weak. Can we upgrade them or is
there a compatibility issue/risk?
--Sean
On 8/9/18 5:55 AM, Weijun Wang wrote:
> Webrev updated at
>
> http://cr.openjdk.java.net/~weijun/8076190/webrev.02
>
> The only change is in keytool/Main and the test. keytool will not prompt for store password if it detects a password-less keystore.
>
> This is 3) below.
>
> Thanks
> Max
>
>> On Jul 24, 2018, at 6:49 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>> Please review the code change and CSR at
>>
>> webrev: http://cr.openjdk.java.net/~weijun/8076190/webrev.01/
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8202590
>>
>> The bug is at
>>
>> https://bugs.openjdk.java.net/browse/JDK-8076190
>>
>> This is the 1st part of the process to make cacerts using pkcs12:
>>
>> 1. Support passwordless access to PKCS12 keystores
>> 2. Update default algorithms and params when creating a PKCS12 keystore
>> 3. Update keytool to support passwordless pkcs12 keystores
>> 4. Migrate cacerts to pkcs12
>>
>> Thanks
>> Max
>>
>
More information about the security-dev
mailing list