RFR 8076190: Support passwordless access to PKCS12 keystores

Weijun Wang weijun.wang at oracle.com
Sun Sep 23 13:42:37 UTC 2018 


> On Sep 22, 2018, at 2:49 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> Still reviewing but here are some initial comments.
> 
> It seems this is more than a fix for JDK-8076190. It also adds configuration properties for the PKCS12 algorithms. I think you should expand the scope/description of the issue to include that.

The title of the bug is already "Customizing the generation of a PKCS12 keystore", I'll update the description.

> 
> * HmacPKCS12PBECore.java
> 
> The class description should be updated to PKCS #12 v1.1 and list the new algorithms that you added.

OK.

> 
> * java.security
> 
> Change "PKCS 12" to "PKCS12" to match the standard name.

OK.

> 
> These properties are also for existing keystores so I would change the first sentence to mention that, ex:
> 
> "... during the creation of a new keystore or modification of an existing keystore."

Those (esp certProtectionAlgorithm and macAlgorithm) are only used when generating a keystore. When an existing keystore is modified the properties are not used. I made this choice so that after we create the initial cacerts as password-less (with system properties on the command line), the user can add new cert into the file without any special system property setting and keep it password-less.

I've tried my best to describe this in the java.security.

> 
> The default alg values seem somewhat weak. Can we upgrade them or is there a compatibility issue/risk?

It will be addressed in a different RFE and is not related to migrating cacerts to password-less.

I haven't studied it yet. Need to investigate how current releases of various tools (openssl, browsers...) support it.

Thanks
Max

> 
> --Sean
> 
> On 8/9/18 5:55 AM, Weijun Wang wrote:
>> Webrev updated at
>>    http://cr.openjdk.java.net/~weijun/8076190/webrev.02
>> The only change is in keytool/Main and the test. keytool will not prompt for store password if it detects a password-less keystore.
>> This is 3) below.
>> Thanks
>> Max
>>> On Jul 24, 2018, at 6:49 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>> 
>>> Please review the code change and CSR at
>>> 
>>>   webrev: http://cr.openjdk.java.net/~weijun/8076190/webrev.01/
>>>   CSR: https://bugs.openjdk.java.net/browse/JDK-8202590
>>> 
>>> The bug is at
>>> 
>>>   https://bugs.openjdk.java.net/browse/JDK-8076190
>>> 
>>> This is the 1st part of the process to make cacerts using pkcs12:
>>> 
>>> 1. Support passwordless access to PKCS12 keystores
>>> 2. Update default algorithms and params when creating a PKCS12 keystore
>>> 3. Update keytool to support passwordless pkcs12 keystores
>>> 4. Migrate cacerts to pkcs12
>>> 
>>> Thanks
>>> Max
>>>

More information about the security-dev mailing list