RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format

Sean Mullan sean.mullan at oracle.com
Fri May 31 18:41:52 UTC 2019


Rename it to "Migrate cacerts keystore to password-less PKCS12 format".

In the Problem section, you may also want to add something like:

- the certificates are public
- The integrity protection is not really necessary since the cacerts 
file is part of the installed JDK, which should be installed using a 
secure mechanism and protected appropriately on-disk from modification.

In the Solution section, you should probably mention that if the 
"keystore.type.compat" security property is set to false, then the risk 
of breakage would be high, but we do not believe that this property is 
changed very often.

--Sean

On 5/30/19 11:32 PM, Weijun Wang wrote:
> Please review the CSR at
> 
>     https://bugs.openjdk.java.net/browse/JDK-8224891
> 
> (Oh, I hate the CSR having a different bug id.)
> 
> Basically, with this change, the cacerts file can be loaded with
> 
>     KeyStore.getInstance("JKS" or "PKCS12").load(stream, null or anything) or
>     KeyStore.getInstance(new File("cacerts"), null or anything)
> 
> so hopefully all your old code should still work.
> 
> I've also opened another RFE [1] that intends to find a different way to tag jdkCA entries in cacerts other than appending "[jdk]" to the alias.
> 
> Thanks,
> Max
> 
> [1] https://bugs.openjdk.java.net/browse/JDK-8225099
> 



More information about the security-dev mailing list