[14] RFR 8162628: Migrate cacerts keystore from JKS
Weijun Wang
weijun.wang at oracle.com
Tue Aug 13 16:23:01 UTC 2019
Please take a preliminary review at
https://cr.openjdk.java.net/~weijun/8162628/webrev.00
There is no test yet. I mainly want you to see if this is doable and whether there can be any unexpected compatibility impact.
So, the major points are:
1. Invent a new KeyStore type named "PEM", which is a stack of PEM-format certificates. It only support X.509 certificates and is read-only (at the moment).
2. Migrate lib/security/cacerts to this format.
Some details:
1. JKS/PKCS12/PEM is now aliases to each other, which means you can load a PKCS12 keystore using KeyStore.getInstance("pem"). This is an expansion of the former JKS/PKCS12 dual type.
2. PEM supports engineProbe(), and returns true as long as the first 5 bytes are readable ASCII. This is because people might put comment before "-----BEGIN CERT-----".
3. @attr can be added into comment as attributes in the comment area. cacerts will contain "@alias: aliasname". I'm still using the "[jdk]" label in the alias for jdkCA recognition.
Thanks,
Max
More information about the security-dev
mailing list