RFR 8076190: Customizing the generation of a PKCS12 keystore

Weijun Wang weijun.wang at oracle.com
Thu Sep 27 23:26:57 UTC 2018 

I think commenting out the key=value lines in java.security will ensure compatibility.

Also, I think it's a tiny bug between

1. KeyStore.java uses "keystore.PKCS12.keyProtectionAlgorithm"
2. PKCS12KeyStore searches for "keystore.pkcs12.keyProtectionAlgorithm" first and "keystore.PKCS12.keyProtectionAlgorithm" next.

I would like to update KeyStore.java to use "keystore.pkcs12.keyProtectionAlgorithm". We will keep supporting the PKCS12 name for this old property but everything else is clean.

How do you think?

Thanks
Max

> On Sep 28, 2018, at 12:22 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> The keystore.pkcs12.keyProtectionAlgorithm property was introduced in JDK 8. I don't think there are many apps using it.
> 
> Thus, I would make a decision on what you think the best solution is long-term and then make sure you document any compatibility issues in the CSR and release note.
> 
> My main advice is not to carry over the existing PKCS12 or pkcs12 flexibility into the new properties.
> 
> --Sean
> 
> On 9/27/18 11:27 AM, Weijun Wang wrote:
>> Thinking about this more and there is a small problem.
>> Suppose a user is already using PKCS12. Since it was a security property, there are 2 ways to use it:
>> 1. Set it in java.security. Now the user is using JDK 12 and in java.security there is an existing keystore.pkcs12.keyProtectionAlgorithm. If the user noticed it, he would realize this is the formal name and modify it. If he hasn't noticed it he would add a new line using PKCS12. But then since both exist, the "pkcs12" one will be read first.
>> 2. Set it with Security::setProperty. This is similar to the "hasn't noticed it" case above, and his value will be ignored.
>> So, the user-provided PKCS12 one will only be used if the user is using an old java.security file. Do we really want to support that?
>> Since PKCS12 is already written into KeyStore.java, it seems the correct way is to use "PKCS12" as the formal name and use "pkcs12" as an alias. But in JDK 11, the search order is first "pkcs12" and then "PKCS12".
>> Or, shall we comment out the lines in java.security? They are indeed useless because default values are already hardcoded in source files.
>> --Max
>>> On Sep 27, 2018, at 10:29 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>> 
>>> It seems odd to support both. Once we put that into the code it’s very hard to take out in case someone is depending on it. So for the new properties I would just support one variant.

More information about the security-dev mailing list