[14] RFR 8162628: Migrate cacerts keystore from JKS
Michael Osipov
1983-01-06 at gmx.net
Tue Aug 13 18:03:06 UTC 2019
Am 2019-08-13 um 18:23 schrieb Weijun Wang:
> Please take a preliminary review at
>
> https://cr.openjdk.java.net/~weijun/8162628/webrev.00
>
> There is no test yet. I mainly want you to see if this is doable and whether there can be any unexpected compatibility impact.
>
> So, the major points are:
>
> 1. Invent a new KeyStore type named "PEM", which is a stack of PEM-format certificates. It only support X.509 certificates and is read-only (at the moment).
> 2. Migrate lib/security/cacerts to this format.
>
> Some details:
>
> 1. JKS/PKCS12/PEM is now aliases to each other, which means you can load a PKCS12 keystore using KeyStore.getInstance("pem"). This is an expansion of the former JKS/PKCS12 dual type.
> 2. PEM supports engineProbe(), and returns true as long as the first 5 bytes are readable ASCII. This is because people might put comment before "-----BEGIN CERT-----".
> 3. @attr can be added into comment as attributes in the comment area. cacerts will contain "@alias: aliasname". I'm still using the "[jdk]" label in the alias for jdkCA recognition.
Thanks,
that's awesome. I will have a look.
Some questions upfront:
1. How did you manage to assign virtual aliases? The PEM format does not
have any.
2. I have a PKCS12 keystore issued by our CA with a public cert and a
private key in it. I can export it with openssl(1) into single PEM file
and feed it to curl with OpenSSL binding. Does this work too?
Regards,
Michael
More information about the security-dev
mailing list