RFR 8076190: Customizing the generation of a PKCS12 keystore
Weijun Wang
weijun.wang at oracle.com
Thu Sep 27 14:23:46 UTC 2018
Oh, I didn't know it was specified in KeyStore.PasswordProtection.getProtectionAlgorithm(). I'll need to rework on webrev.04.
As for pkcs12 or PKCS12, do we really need to treat old and new properties differently? I would document them in java.security with pkcs12 but support reading both.
--Max
> On Sep 27, 2018, at 9:43 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> On 9/27/18 1:58 AM, Weijun Wang wrote:
>> All others accepted.
>>> 1122 keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
>>>
>>> Shouldn't this be named certPbeAlgorithm so that it matches certPbeIterationCount? Same comment about keyProtectionAlgorithm.
>> Unfortunately we already had "keystore.pkcs12.keyProtectionAlgorithm" and it also accepts "PKCS12".
>
> Ah, I see - I forgot about that property.
>
> See http://cr.openjdk.java.net/~weijun/8076190/webrev.03/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java-.html:
>> 147 private static final String[] KEY_PROTECTION_ALGORITHM = {
>> 148 "keystore.pkcs12.keyProtectionAlgorithm",
>> 149 "keystore.PKCS12.keyProtectionAlgorithm"
>> 150 };
>> But you are right the names are not consistent and supporting both "pkcs12" and "PKCS12" is awkward (and cannot make use of the new SecurityProperties::privilegedGetOverridable method). Now I decide to name the new properties as (key|cert)PbeAlgorithm names with only "pkcs12", and only support the old names as a fallback.
>
> Hmm, but this means we have to support 2 properties meaning the same thing, and the KeyStore.PasswordProtection.getProtectionAlgorithm() is already specified to use the keystore.<type>.keyProtectionAlgorithm property. Based on that, I take back my comment, and I think it would be better to retain the existing property instead of defining another one with the same meaning. I don't like having to try to get the properties with "pkcs12" and "PKCS12", but it seems we could live with that since we have been doing it and we only need to do this for the existing properties - we could assume "pkcs12" for all of the new ones.
>
> --Sean
More information about the security-dev
mailing list