RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format
Weijun Wang
weijun.wang at oracle.com
Sat Jun 1 00:06:55 UTC 2019
> On Jun 1, 2019, at 2:41 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> Rename it to "Migrate cacerts keystore to password-less PKCS12 format".
>
> In the Problem section, you may also want to add something like:
>
> - the certificates are public
> - The integrity protection is not really necessary since the cacerts file is part of the installed JDK, which should be installed using a secure mechanism and protected appropriately on-disk from modification.
Added.
>
> In the Solution section, you should probably mention that if the "keystore.type.compat" security property is set to false, then the risk of breakage would be high, but we do not believe that this property is changed very often.
I added it into the "Compatibility Risk Description" field but kept the level minimal.
Thanks,
Max
>
> --Sean
>
> On 5/30/19 11:32 PM, Weijun Wang wrote:
>> Please review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8224891
>> (Oh, I hate the CSR having a different bug id.)
>> Basically, with this change, the cacerts file can be loaded with
>> KeyStore.getInstance("JKS" or "PKCS12").load(stream, null or anything) or
>> KeyStore.getInstance(new File("cacerts"), null or anything)
>> so hopefully all your old code should still work.
>> I've also opened another RFE [1] that intends to find a different way to tag jdkCA entries in cacerts other than appending "[jdk]" to the alias.
>> Thanks,
>> Max
>> [1] https://bugs.openjdk.java.net/browse/JDK-8225099
More information about the security-dev
mailing list