RFR: 8285827: Describe the keystore.pkcs12.legacy system property in the java.security file
Sean Mullan
mullan at openjdk.java.net
Fri Apr 29 20:50:39 UTC 2022
On Fri, 29 Apr 2022 20:40:46 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> It's a little long, but I can see why it is useful, so I think it's good. I would avoid the word "new" as this won't be new in a few years time. Here is an edit where I removed words which I thought were not essential:
>>
>>> Some PKCS #12 tools and libraries may not support algorithms based on PBES2 and AES.
>>> To create a PKCS #12 keystore which they can load, set the system property
>>> "keystore.pkcs12.legacy" which overrides the values of the properties defined below with
>>> legacy algorithms. Setting this system property is equivalent to
>>>
>>> ....
>>>
>>> Also, you can downgrade an existing PKCS #12 keystore created with stronger algorithms
>>> to legacy algorithms with
>>>
>>> keytool -J-Dkeystore.pkcs12.legacy -importkeystore -srckeystore ks -destkeystore ks
>>>
>>> This system property should be used at your own risk.
>>
>> Don't think you really need the sentence below, as you have already given several examples:
>>
>>> Please note there is
>>> no value defined for this system property, i.e. "-Dkeystore.pkcs12.legacy"
>>> has the same effect as "-Dkeystore.pkcs12.legacy=<any value>".
>
> The reason I added the last sentence is because this property has no value. Someone might think they can set it to false to disable it, but that is equivalent to set it to true.
Ah I see. Maybe put in the previous sentence, ex: "When set, this system property (which can only be enabled and has no value) is equivalent to:"
Just a suggestion.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8452
More information about the security-dev
mailing list