RFR 8076190: Customizing the generation of a PKCS12 keystore

[Sean Mullan]

On 9/27/18 1:58 AM, Weijun Wang wrote:
> All others accepted.
> 
>> 1122 keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
>>
>> Shouldn't this be named certPbeAlgorithm so that it matches certPbeIterationCount? Same comment about keyProtectionAlgorithm.
> 
> Unfortunately we already had "keystore.pkcs12.keyProtectionAlgorithm" and it also accepts "PKCS12". 

Ah, I see - I forgot about that property.

See 
http://cr.openjdk.java.net/~weijun/8076190/webrev.03/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java-.html:
> 
>   147     private static final String[] KEY_PROTECTION_ALGORITHM = {
>   148         "keystore.pkcs12.keyProtectionAlgorithm",
>   149         "keystore.PKCS12.keyProtectionAlgorithm"
>   150     };
> 
> But you are right the names are not consistent and supporting both "pkcs12" and "PKCS12" is awkward (and cannot make use of the new SecurityProperties::privilegedGetOverridable method). Now I decide to name the new properties as (key|cert)PbeAlgorithm names with only "pkcs12", and only support the old names as a fallback.

Hmm, but this means we have to support 2 properties meaning the same 
thing, and the KeyStore.PasswordProtection.getProtectionAlgorithm() is 
already specified to use the keystore.<type>.keyProtectionAlgorithm 
property. Based on that, I take back my comment, and I think it would be 
better to retain the existing property instead of defining another one 
with the same meaning. I don't like having to try to get the properties 
with "pkcs12" and "PKCS12", but it seems we could live with that since 
we have been doing it and we only need to do this for the existing 
properties - we could assume "pkcs12" for all of the new ones.

--Sean