[External] : Re: PEM KeyStore Implementation
Anthony Scarpino
anthony.scarpino at oracle.com
Fri Nov 17 19:52:56 UTC 2023
As you may have seen, the PEM API draft is out:
https://openjdk.org/jeps/8300911
Tony
On 10/18/23 3:00 AM, Karl Scheibelhofer wrote:
> Hi Sean,
>
> Yes, I can help with this new PEM API.
>
> Let me know, when there is something to review.
>
> Best regards,
>
> Karl
>
>
> On Tue, Oct 17, 2023, 19:12 Sean Mullan <sean.mullan at oracle.com
> <mailto:sean.mullan at oracle.com>> wrote:
>
> Hi Karl,
>
> I discussed your proposal with some other colleagues.
>
> We generally feel a PEM KeyStore would be a useful addition to the
> JDK. This would alleviate usability issues that many users encounter
> when configuring and deploying applications that store keys or
> certificates in PEM files.
>
> However, we would like to first make sure that your PEM KeyStore
> implementation will work well with the PEM API that we will be
> proposing soon. We think this is a perfect opportunity to ensure
> they work well together and would appreciate your help in reviewing
> and validating the API - would you be interested in helping out?
>
> Once that is done, we can discuss next steps.
>
> Thanks,
> Sean
>
>
>> On Oct 5, 2023, at 9:41 AM, Sean Mullan <sean.mullan at oracle.com
>> <mailto:sean.mullan at oracle.com>> wrote:
>>
>>
>>
>>> On Oct 5, 2023, at 2:48 AM, Karl Scheibelhofer
>>> <karl.scheibelhofer at gmx.net <mailto:karl.scheibelhofer at gmx.net>>
>>> wrote:
>>>
>>> Hi Sean,
>>>
>>> Yes, I had a look at the Contributing docs at the OpenJDK site
>>> before. I also signed the OCA.
>>
>> Great, thanks.
>>
>>>
>>> Honestly, I thought there would be some more reaction on the
>>> suggested PEM KeyStore. It would really be good to discuss the
>>> topic with others. Is there anything we can do to get others in
>>> sharing their thoughts on this?
>>
>> I think there is a fair amount of interest in it, but reviewing
>> something significant like this takes a bit of time, as I
>> mentioned in my prior email. Also, if we do decide to accept the
>> contribution, we want to make sure it works well with the PEM API
>> that we are working on - we hope to have a draft of a JEP for that
>> out in the next few weeks. So I think we probably need a few weeks
>> to review your contribution.
>>
>>>
>>> There is already a fair amount of documentation und unit tests.
>>> See https://github.com/KarlScheibelhofer/java-crypto-tools/
>>> <https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools/__;!!ACWV5N9M2RV99hQ!L4Oy66pyQcMu7F5jKCD98FvyWZGBlrWmmpnxhOkj2bAffn_KyL69pJh6Y36l9xIk-U4itzwJyPjubZxjk-SP2qN2C39SWwY$> .
>>
>> Ok.
>>
>> —Sean
>>
>>>
>>> Best regards,
>>> Karl
>>>
>>> On Wed, Oct 4, 2023, 13:58 Sean Mullan <sean.mullan at oracle.com
>>> <mailto:sean.mullan at oracle.com>> wrote:
>>>
>>> Hi Karl,
>>>
>>> The OpenJDK Developer’s Guide includes a helpful section on
>>> Contributing to an OpenJDK Project [1]. I suggest you read
>>> through that if you have not already. In particular, have you
>>> signed the OCA? I don’t want to review your code/contribution
>>> until that is done.
>>>
>>> For this particular contribution, I don’t think there has
>>> been enough discussion and evaluation from members of the
>>> Security project. This would be a fairly major contribution.
>>> Keep in mind that a contribution doesn’t mean the work ends
>>> there. There would need to be documentation, tests, and
>>> ongoing support for the foreseeable future. We need to think
>>> about these aspects every time we add a new feature, so there
>>> needs to be a strong motivation for doing it.
>>>
>>> Thanks,
>>> Sean
>>>
>>> [1]
>>> https://openjdk.org/guide/#contributing-to-an-openjdk-project
>>> <https://openjdk.org/guide/#contributing-to-an-openjdk-project>
>>>
>>> > On Oct 4, 2023, at 4:21 AM, Karl Scheibelhofer
>>> <karl.scheibelhofer at gmx.net
>>> <mailto:karl.scheibelhofer at gmx.net>> wrote:
>>> >
>>> > Hi All,
>>> >
>>> > I would like to contribute my PEM KeyStore implementation
>>> to the
>>> > OpenJDK, including integration in the OpenJDK source and
>>> creating a
>>> > pull request.
>>> > What is the recommended way to do this?
>>> > Who can create a suitable ticket in OpenJDK to document the
>>> > enhancement and to track the progress?
>>> >
>>> > What are the requirements for a pull request to get merged?
>>> >
>>> > Best regards
>>> >
>>> > Karl
>>> >
>>> > Am Mi., 20. Sept. 2023 um 11:26 Uhr schrieb Karl Scheibelhofer
>>> > <karl.scheibelhofer at gmx.net
>>> <mailto:karl.scheibelhofer at gmx.net>>:
>>> >>
>>> >> Hi Tony!
>>> >>
>>> >> When the PEM API implementation becomes available it would
>>> make sense
>>> >> to use it inside the PEM Keystore implementation. It will
>>> reduce the
>>> >> code (the internal classes PemReader und PemWriter may become
>>> >> obsolete), but it does not affect the functionality of the PEM
>>> >> keystore. Users of the PEM Keystore won't experience a
>>> difference.
>>> >>
>>> >> Let me know when there is something for the PEM API and I
>>> will see if
>>> >> I can assist.
>>> >>
>>> >> I would suggest starting with PEM Keystore now and not
>>> wait for the
>>> >> PEM API, because the time schedule for it seems vague. I
>>> would try to
>>> >> refactor my current PEM Keystore implementation to
>>> integrate in the
>>> >> OpenJDK sun.security.provider package. I do not expect any
>>> API changes
>>> >> or other compatibility issues with existing code. Then
>>> consult this
>>> >> group for feedback before creating a pull request.
>>> >>
>>> >> When the PEM API becomes available, rework the PEM Keystore
>>> >> implementation to use it internally.
>>> >>
>>> >> What do you think?
>>> >>
>>> >> Best regards
>>> >>
>>> >> Karl Scheibelhofer
>>> >>
>>> >> Am Di., 19. Sept. 2023 um 22:31 Uhr schrieb Anthony Scarpino
>>> >> <anthony.scarpino at oracle.com
>>> <mailto:anthony.scarpino at oracle.com>>:
>>> >>>
>>> >>> There are no doc links yet.
>>> >>>
>>> >>> Tony
>>> >>>
>>> >>> On 9/10/23 1:04 AM, Karl Scheibelhofer wrote:
>>> >>>> Hi Tony,
>>> >>>>
>>> >>>> The motivation was mostly about reading PEM keys and
>>> certificates
>>> >>>> generated somewhere else. This is common practice in
>>> enterprise
>>> >>>> environments I work in. Because corporate key material
>>> is subject to
>>> >>>> centralized key management, including generation, backup
>>> and rollover.
>>> >>>> PEM is the format most software products can handle. For
>>> Java
>>> >>>> applications, having a PEM KeyStore would reduce the
>>> often required
>>> >>>> additional step of converting PEM key and certificate in
>>> a Java
>>> >>>> Keystore/PKCS#12.
>>> >>>> Even truststores handling is easier with individual PEM
>>> certificates
>>> >>>> instead of a single PKCS#12 Truststore. Adding or
>>> deleting a single
>>> >>>> file instead of replacing the complete PKCS#12 store is
>>> less error
>>> >>>> prone and cleaner to track in version control. The
>>> additional benefit
>>> >>>> of a MAC in PKCS#12 adds little to no security in most
>>> cases.
>>> >>>> And being text based, PEM is more version control
>>> friendly than binary PKCS#12.
>>> >>>>
>>> >>>> But to enable sound support of PEM, I also implemented
>>> writing PEM
>>> >>>> keys and certificates. This way, one can use the JDK
>>> keytool to
>>> >>>> generate key and certificate signing requests in PEM
>>> format. Getting
>>> >>>> the certificate from the CA in PEM, one can use PEM
>>> throughout the
>>> >>>> process.
>>> >>>>
>>> >>>> Do you have any links or documentation on the PEM API
>>> JEP that you mentioned?
>>> >>>>
>>> >>>> Thank you for your feedback and best regards
>>> >>>>
>>> >>>> Karl
>>> >>>>
>>> >>>> Am Fr., 8. Sept. 2023 um 21:17 Uhr schrieb Anthony Scarpino
>>> >>>> <anthony.scarpino at oracle.com
>>> <mailto:anthony.scarpino at oracle.com>>:
>>> >>>>>
>>> >>>>> Hi Karl
>>> >>>>>
>>> >>>>> The keystore is interesting and may have some value.
>>> Was your use case
>>> >>>>> mostly reading PEM keys and certificates generated
>>> elsewhere for use
>>> >>>>> with a particular application, maybe webservers? Did
>>> you see value in
>>> >>>>> writing to this keystore from Java?
>>> >>>>>
>>> >>>>> On the topic of PEM, I hope before the end of the year
>>> to have a PEM API
>>> >>>>> JEP. I would be interested in your API feedback from
>>> your keystore
>>> >>>>> experiences. I think if this keystore contribution was
>>> accepted, it
>>> >>>>> should wait so it can use that API.
>>> >>>>>
>>> >>>>> thanks
>>> >>>>>
>>> >>>>> Tony
>>> >>>>>
>>> >>>>>
>>> >>>>> On 9/1/23 12:15 PM, Karl Scheibelhofer wrote:
>>> >>>>>> Hi,
>>> >>>>>>
>>> >>>>>> Working with Java and the JCA KeyStore for decades, I
>>> came across
>>> >>>>>> many situations where I thought it would be convenient
>>> to be
>>> >>>>>> able to load private keys and certificates in PEM
>>> format directly
>>> >>>>>> using the KeyStore API. Without the need to convert
>>> them to PKCS#12/JKS.
>>> >>>>>>
>>> >>>>>> You can find my implementation of a PEM KeyStore in
>>> >>>>>>
>>> https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools__;!!ACWV5N9M2RV99hQ!Oty2x6ce8fseqwbwEZ1eFN9xJCtVxU8aUXn1GXt81SA1JkTeB9GSykdwShzJKOFYUAA1oUtLGaX1kmZV984WRsO-8KQq5dw$ <https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools__;!!ACWV5N9M2RV99hQ!Oty2x6ce8fseqwbwEZ1eFN9xJCtVxU8aUXn1GXt81SA1JkTeB9GSykdwShzJKOFYUAA1oUtLGaX1kmZV984WRsO-8KQq5dw$> .
>>> >>>>>>
>>> >>>>>> I wondered if it would make sense to integrate such an
>>> implementation
>>> >>>>>> in one of the standard providers of OpenJDK - like the
>>> SUN provider.
>>> >>>>>> What do you think?
>>> >>>>>>
>>> >>>>>> Best regards
>>> >>>>>>
>>> >>>>>> Karl
>>>
>>
>
More information about the security-dev
mailing list