<div dir="ltr">Seems alright to this non-crypto expert.<div><br></div><div>The key thing I would like to see working is:</div><div><br></div><div>If I create a keystore for cacerts and then use it via -with-cacerts-file taking the defaults, this results in goodness (which presumably means not getting JKS keystore)</div><div><br></div><div>Make sure keystore creators don't have to specify a storepass.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 8, 2018 at 8:26 AM, Weijun Wang <span dir="ltr"><<a href="mailto:weijun.wang@oracle.com" target="_blank">weijun.wang@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">CSR updated. Please take a review.<br>
<br>
<a href="https://bugs.openjdk.java.net/browse/JDK-8202590" rel="noreferrer" target="_blank">https://bugs.openjdk.java.net/<wbr>browse/JDK-8202590</a><br>
<br>
A slightly updated webrev at<br>
<br>
<a href="https://cr.openjdk.java.net/~weijun/8076190/webrev.05" rel="noreferrer" target="_blank">https://cr.openjdk.java.net/~<wbr>weijun/8076190/webrev.05</a><br>
<br>
Thanks<br>
Max<br>
<div class="HOEnZb"><div class="h5"><br>
> On Oct 3, 2018, at 12:51 AM, Sean Mullan <<a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>> wrote:<br>
> <br>
> On 10/1/18 8:02 PM, Weijun Wang wrote:<br>
>> <br>
>> <br>
>>> On Oct 2, 2018, at 2:49 AM, Sean Mullan <<a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>> wrote:<br>
>>> <br>
>>> Looks good. After you update the CSR with these changes, I can review it.<br>
>> <br>
>> Sure.<br>
>> <br>
>> How do you think of the following change? Shall I also add it?<br>
> <br>
> Yes.<br>
>> <br>
>> diff --git a/src/java.base/share/classes/<wbr>java/security/KeyStore.java b/src/java.base/share/classes/<wbr>java/security/KeyStore.java<br>
>> --- a/src/java.base/share/classes/<wbr>java/security/KeyStore.java<br>
>> +++ b/src/java.base/share/classes/<wbr>java/security/KeyStore.java<br>
>> @@ -318,7 +318,7 @@<br>
>> * for a given keystore type is set using the<br>
>> * {@code 'keystore.<type>.<wbr>keyProtectionAlgorithm'} security property.<br>
>> * For example, the<br>
>> - * {@code keystore.PKCS12.<wbr>keyProtectionAlgorithm} property stores the<br>
>> + * {@code keystore.pkcs12.<wbr>keyProtectionAlgorithm} property stores the<br>
>> * name of the default key protection algorithm used for PKCS12<br>
>> * keystores. If the security property is not set, an<br>
>> * implementation-specific algorithm will be used.<br>
>> <br>
>> Shall I add some word to this method saying we should use lowercase or are we going to live with this lower+UPPER for every keystore type forever?<br>
> No. Let's just continue to check in the code for both variants of the above property, but remove all references to the upper-case variant from the javadocs and java.security file.<br>
> <br>
> --Sean<br>
>> <br>
>> If yes, there will also be some text for its compatibility risk.<br>
>> <br>
>> Thanks<br>
>> Max<br>
>> <br>
>>> <br>
>>> --Sean<br>
>>> <br>
>>> On 9/28/18 9:36 AM, Weijun Wang wrote:<br>
>>>> Webrev updated at<br>
>>>> <a href="http://cr.openjdk.java.net/~weijun/8076190/webrev.04/" rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~<wbr>weijun/8076190/webrev.04/</a><br>
>>>> Major changes:<br>
>>>> 1. Comment out key=value lines in java.security<br>
>>>> 2. Fix a bug in PBES2Parameters.java<br>
>>>> 3. Test no longer depends on openssl. Instead, use openssl to generate some pkcs12 files and included in the test.<br>
>>>> 4. A new test KeyProtAlgCompat.java to ensure compatibility on pkcs12/PKCS12 names<br>
>>>> I haven't made any change to KeyStore.java yet. CSR is also not updated.<br>
>>>> Thanks<br>
>>>> Max<br>
>> <br>
>> <br>
<br>
</div></div></blockquote></div><br></div>