<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi Tony!</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"><span style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">I read the darft
</span><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; font-weight: 400; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><a href="https://openjdk.org/jeps/8300911" id="OWA08840dcd-20a9-62a1-6c4e-eab504e9c7e8" class="OWAAutoLink" data-auth="NotApplicable" data-linkindex="0" style="margin: 0px; text-align: left; background-color: rgb(255, 255, 255);">https://openjdk.org/jeps/8300911</a>.
It looks quite good to me.</span></div>
<div class="elementToProof"><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; font-weight: 400; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br>
</span></div>
<div class="elementToProof"><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; font-weight: 400; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">To
get a beffer feeling, I would like to use it. Is there a draft implememtation of this API? </span></div>
<div class="elementToProof"><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; font-weight: 400; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br>
</span></div>
<div class="elementToProof"><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; font-weight: 400; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">I
could give it a go with the draft version of PEM Keystore I did in </span><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><a href="https://github.com/KarlScheibelhofer/jdk/tree/pem-keystore" id="OWA1a4ce9c3-0881-f4b7-ba2d-095da3a65457" class="OWAAutoLink">KarlScheibelhofer/jdk
at pem-keystore (github.com)</a> </span></div>
<div class="elementToProof"><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br>
</span></div>
<div class="elementToProof"><span style="letter-spacing: normal; font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; font-size: 14.6667px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">regards,
Karl</span></div>
<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1">
<div id="LPBorder_GTaHR0cHM6Ly9naXRodWIuY29tL0thcmxTY2hlaWJlbGhvZmVyL2pkay90cmVlL3BlbS1rZXlzdG9yZQ.." class="LPBorder176391" style="width: 100%; margin-top: 16px; margin-bottom: 16px; position: relative; max-width: 800px; min-width: 424px;">
<table id="LPContainer176391" role="presentation" style="padding: 12px 36px 12px 12px; width: 100%; border-width: 1px; border-style: solid; border-color: rgb(200, 200, 200); border-radius: 2px;">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td>
<div id="LPImageContainer176391" style="position: relative; margin-right: 12px; height: 120px; overflow: hidden; width: 240px;">
<a target="_blank" id="LPImageAnchor176391" href="https://github.com/KarlScheibelhofer/jdk/tree/pem-keystore"><img id="LPThumbnailImageId176391" alt="" height="120" style="display: block;" width="240" src="https://opengraph.githubassets.com/1a7910123c5ab21478b7cd61d4db11394b996a812170b3720b77a293dbe159d7/KarlScheibelhofer/jdk"></a></div>
</td>
<td style="width: 100%;">
<div id="LPTitle176391" style="font-size: 21px; font-weight: 300; margin-right: 8px; font-family: wf_segoe-ui_light, "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; margin-bottom: 12px;">
<a target="_blank" id="LPUrlAnchor176391" href="https://github.com/KarlScheibelhofer/jdk/tree/pem-keystore" style="text-decoration: none;">GitHub - KarlScheibelhofer/jdk at pem-keystore</a></div>
<div id="LPDescription176391" style="font-size: 14px; max-height: 100px; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; margin-bottom: 12px; margin-right: 8px; overflow: hidden; color: rgb(102, 102, 102);">
JDK main-line development https://openjdk.org/projects/jdk - GitHub - KarlScheibelhofer/jdk at pem-keystore</div>
<div id="LPMetadata176391" style="font-size: 14px; font-weight: 400; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; color: rgb(166, 166, 166);">
github.com</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Von:</b> Anthony Scarpino <anthony.scarpino@oracle.com><br>
<b>Gesendet:</b> Freitag, 17. November 2023 20:52<br>
<b>An:</b> Karl Scheibelhofer <karl.scheibelhofer@gmx.net><br>
<b>Cc:</b> security-dev@openjdk.org <security-dev@openjdk.org><br>
<b>Betreff:</b> Re: [External] : Re: PEM KeyStore Implementation</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">As you may have seen, the PEM API draft is out: <br>
<a href="https://openjdk.org/jeps/8300911">https://openjdk.org/jeps/8300911</a><br>
<br>
Tony<br>
<br>
<br>
<br>
On 10/18/23 3:00 AM, Karl Scheibelhofer wrote:<br>
> Hi Sean,<br>
> <br>
> Yes, I can help with this new PEM API.<br>
> <br>
> Let me know, when there is something to review.<br>
> <br>
> Best regards,<br>
> <br>
> Karl<br>
> <br>
> <br>
> On Tue, Oct 17, 2023, 19:12 Sean Mullan <sean.mullan@oracle.com <br>
> <<a href="mailto:sean.mullan@oracle.com">mailto:sean.mullan@oracle.com</a>>> wrote:<br>
> <br>
> Hi Karl,<br>
> <br>
> I discussed your proposal with some other colleagues.<br>
> <br>
> We generally feel a PEM KeyStore would be a useful addition to the<br>
> JDK. This would alleviate usability issues that many users encounter<br>
> when configuring and deploying applications that store keys or<br>
> certificates in PEM files.<br>
> <br>
> However, we would like to first make sure that your PEM KeyStore<br>
> implementation will work well with the PEM API that we will be<br>
> proposing soon. We think this is a perfect opportunity to ensure<br>
> they work well together and would appreciate your help in reviewing<br>
> and validating the API - would you be interested in helping out?<br>
> <br>
> Once that is done, we can discuss next steps.<br>
> <br>
> Thanks,<br>
> Sean<br>
> <br>
> <br>
>> On Oct 5, 2023, at 9:41 AM, Sean Mullan <sean.mullan@oracle.com<br>
>> <<a href="mailto:sean.mullan@oracle.com">mailto:sean.mullan@oracle.com</a>>> wrote:<br>
>><br>
>><br>
>><br>
>>> On Oct 5, 2023, at 2:48 AM, Karl Scheibelhofer<br>
>>> <karl.scheibelhofer@gmx.net <<a href="mailto:karl.scheibelhofer@gmx.net">mailto:karl.scheibelhofer@gmx.net</a>>><br>
>>> wrote:<br>
>>><br>
>>> Hi Sean,<br>
>>><br>
>>> Yes, I had a look at the Contributing docs at the OpenJDK site<br>
>>> before. I also signed the OCA.<br>
>><br>
>> Great, thanks.<br>
>><br>
>>><br>
>>> Honestly, I thought there would be some more reaction on the<br>
>>> suggested PEM KeyStore. It would really be good to discuss the<br>
>>> topic with others. Is there anything we can do to get others in<br>
>>> sharing their thoughts on this?<br>
>><br>
>> I think there is a fair amount of interest in it, but reviewing<br>
>> something significant like this takes a bit of time, as I<br>
>> mentioned in my prior email. Also, if we do decide to accept the<br>
>> contribution, we want to make sure it works well with the PEM API<br>
>> that we are working on - we hope to have a draft of a JEP for that<br>
>> out in the next few weeks. So I think we probably need a few weeks<br>
>> to review your contribution.<br>
>><br>
>>><br>
>>> There is already a fair amount of documentation und unit tests.<br>
>>> See <a href="https://github.com/KarlScheibelhofer/java-crypto-tools/">https://github.com/KarlScheibelhofer/java-crypto-tools/</a><br>
>>> <<a href="https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools/__;!!ACWV5N9M2RV99hQ!L4Oy66pyQcMu7F5jKCD98FvyWZGBlrWmmpnxhOkj2bAffn_KyL69pJh6Y36l9xIk-U4itzwJyPjubZxjk-SP2qN2C39SWwY$">https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools/__;!!ACWV5N9M2RV99hQ!L4Oy66pyQcMu7F5jKCD98FvyWZGBlrWmmpnxhOkj2bAffn_KyL69pJh6Y36l9xIk-U4itzwJyPjubZxjk-SP2qN2C39SWwY$</a>>
.<br>
>><br>
>> Ok.<br>
>><br>
>> —Sean<br>
>><br>
>>><br>
>>> Best regards,<br>
>>> Karl<br>
>>><br>
>>> On Wed, Oct 4, 2023, 13:58 Sean Mullan <sean.mullan@oracle.com<br>
>>> <<a href="mailto:sean.mullan@oracle.com">mailto:sean.mullan@oracle.com</a>>> wrote:<br>
>>><br>
>>> Hi Karl,<br>
>>><br>
>>> The OpenJDK Developer’s Guide includes a helpful section on<br>
>>> Contributing to an OpenJDK Project [1]. I suggest you read<br>
>>> through that if you have not already. In particular, have you<br>
>>> signed the OCA? I don’t want to review your code/contribution<br>
>>> until that is done.<br>
>>><br>
>>> For this particular contribution, I don’t think there has<br>
>>> been enough discussion and evaluation from members of the<br>
>>> Security project. This would be a fairly major contribution.<br>
>>> Keep in mind that a contribution doesn’t mean the work ends<br>
>>> there. There would need to be documentation, tests, and<br>
>>> ongoing support for the foreseeable future. We need to think<br>
>>> about these aspects every time we add a new feature, so there<br>
>>> needs to be a strong motivation for doing it.<br>
>>><br>
>>> Thanks,<br>
>>> Sean<br>
>>><br>
>>> [1]<br>
>>> <a href="https://openjdk.org/guide/#contributing-to-an-openjdk-project">
https://openjdk.org/guide/#contributing-to-an-openjdk-project</a><br>
>>> <<a href="https://openjdk.org/guide/#contributing-to-an-openjdk-project">https://openjdk.org/guide/#contributing-to-an-openjdk-project</a>><br>
>>><br>
>>> > On Oct 4, 2023, at 4:21 AM, Karl Scheibelhofer<br>
>>> <karl.scheibelhofer@gmx.net<br>
>>> <<a href="mailto:karl.scheibelhofer@gmx.net">mailto:karl.scheibelhofer@gmx.net</a>>> wrote:<br>
>>> ><br>
>>> > Hi All,<br>
>>> ><br>
>>> > I would like to contribute my PEM KeyStore implementation<br>
>>> to the<br>
>>> > OpenJDK, including integration in the OpenJDK source and<br>
>>> creating a<br>
>>> > pull request.<br>
>>> > What is the recommended way to do this?<br>
>>> > Who can create a suitable ticket in OpenJDK to document the<br>
>>> > enhancement and to track the progress?<br>
>>> ><br>
>>> > What are the requirements for a pull request to get merged?<br>
>>> ><br>
>>> > Best regards<br>
>>> ><br>
>>> > Karl<br>
>>> ><br>
>>> > Am Mi., 20. Sept. 2023 um 11:26 Uhr schrieb Karl Scheibelhofer<br>
>>> > <karl.scheibelhofer@gmx.net<br>
>>> <<a href="mailto:karl.scheibelhofer@gmx.net">mailto:karl.scheibelhofer@gmx.net</a>>>:<br>
>>> >><br>
>>> >> Hi Tony!<br>
>>> >><br>
>>> >> When the PEM API implementation becomes available it would<br>
>>> make sense<br>
>>> >> to use it inside the PEM Keystore implementation. It will<br>
>>> reduce the<br>
>>> >> code (the internal classes PemReader und PemWriter may become<br>
>>> >> obsolete), but it does not affect the functionality of the PEM<br>
>>> >> keystore. Users of the PEM Keystore won't experience a<br>
>>> difference.<br>
>>> >><br>
>>> >> Let me know when there is something for the PEM API and I<br>
>>> will see if<br>
>>> >> I can assist.<br>
>>> >><br>
>>> >> I would suggest starting with PEM Keystore now and not<br>
>>> wait for the<br>
>>> >> PEM API, because the time schedule for it seems vague. I<br>
>>> would try to<br>
>>> >> refactor my current PEM Keystore implementation to<br>
>>> integrate in the<br>
>>> >> OpenJDK sun.security.provider package. I do not expect any<br>
>>> API changes<br>
>>> >> or other compatibility issues with existing code. Then<br>
>>> consult this<br>
>>> >> group for feedback before creating a pull request.<br>
>>> >><br>
>>> >> When the PEM API becomes available, rework the PEM Keystore<br>
>>> >> implementation to use it internally.<br>
>>> >><br>
>>> >> What do you think?<br>
>>> >><br>
>>> >> Best regards<br>
>>> >><br>
>>> >> Karl Scheibelhofer<br>
>>> >><br>
>>> >> Am Di., 19. Sept. 2023 um 22:31 Uhr schrieb Anthony Scarpino<br>
>>> >> <anthony.scarpino@oracle.com<br>
>>> <<a href="mailto:anthony.scarpino@oracle.com">mailto:anthony.scarpino@oracle.com</a>>>:<br>
>>> >>><br>
>>> >>> There are no doc links yet.<br>
>>> >>><br>
>>> >>> Tony<br>
>>> >>><br>
>>> >>> On 9/10/23 1:04 AM, Karl Scheibelhofer wrote:<br>
>>> >>>> Hi Tony,<br>
>>> >>>><br>
>>> >>>> The motivation was mostly about reading PEM keys and<br>
>>> certificates<br>
>>> >>>> generated somewhere else. This is common practice in<br>
>>> enterprise<br>
>>> >>>> environments I work in. Because corporate key material<br>
>>> is subject to<br>
>>> >>>> centralized key management, including generation, backup<br>
>>> and rollover.<br>
>>> >>>> PEM is the format most software products can handle. For<br>
>>> Java<br>
>>> >>>> applications, having a PEM KeyStore would reduce the<br>
>>> often required<br>
>>> >>>> additional step of converting PEM key and certificate in<br>
>>> a Java<br>
>>> >>>> Keystore/PKCS#12.<br>
>>> >>>> Even truststores handling is easier with individual PEM<br>
>>> certificates<br>
>>> >>>> instead of a single PKCS#12 Truststore. Adding or<br>
>>> deleting a single<br>
>>> >>>> file instead of replacing the complete PKCS#12 store is<br>
>>> less error<br>
>>> >>>> prone and cleaner to track in version control. The<br>
>>> additional benefit<br>
>>> >>>> of a MAC in PKCS#12 adds little to no security in most<br>
>>> cases.<br>
>>> >>>> And being text based, PEM is more version control<br>
>>> friendly than binary PKCS#12.<br>
>>> >>>><br>
>>> >>>> But to enable sound support of PEM, I also implemented<br>
>>> writing PEM<br>
>>> >>>> keys and certificates. This way, one can use the JDK<br>
>>> keytool to<br>
>>> >>>> generate key and certificate signing requests in PEM<br>
>>> format. Getting<br>
>>> >>>> the certificate from the CA in PEM, one can use PEM<br>
>>> throughout the<br>
>>> >>>> process.<br>
>>> >>>><br>
>>> >>>> Do you have any links or documentation on the PEM API<br>
>>> JEP that you mentioned?<br>
>>> >>>><br>
>>> >>>> Thank you for your feedback and best regards<br>
>>> >>>><br>
>>> >>>> Karl<br>
>>> >>>><br>
>>> >>>> Am Fr., 8. Sept. 2023 um 21:17 Uhr schrieb Anthony Scarpino<br>
>>> >>>> <anthony.scarpino@oracle.com<br>
>>> <<a href="mailto:anthony.scarpino@oracle.com">mailto:anthony.scarpino@oracle.com</a>>>:<br>
>>> >>>>><br>
>>> >>>>> Hi Karl<br>
>>> >>>>><br>
>>> >>>>> The keystore is interesting and may have some value. <br>
>>> Was your use case<br>
>>> >>>>> mostly reading PEM keys and certificates generated<br>
>>> elsewhere for use<br>
>>> >>>>> with a particular application, maybe webservers? Did<br>
>>> you see value in<br>
>>> >>>>> writing to this keystore from Java?<br>
>>> >>>>><br>
>>> >>>>> On the topic of PEM, I hope before the end of the year<br>
>>> to have a PEM API<br>
>>> >>>>> JEP. I would be interested in your API feedback from<br>
>>> your keystore<br>
>>> >>>>> experiences. I think if this keystore contribution was<br>
>>> accepted, it<br>
>>> >>>>> should wait so it can use that API.<br>
>>> >>>>><br>
>>> >>>>> thanks<br>
>>> >>>>><br>
>>> >>>>> Tony<br>
>>> >>>>><br>
>>> >>>>><br>
>>> >>>>> On 9/1/23 12:15 PM, Karl Scheibelhofer wrote:<br>
>>> >>>>>> Hi,<br>
>>> >>>>>><br>
>>> >>>>>> Working with Java and the JCA KeyStore for decades, I<br>
>>> came across<br>
>>> >>>>>> many situations where I thought it would be convenient<br>
>>> to be<br>
>>> >>>>>> able to load private keys and certificates in PEM<br>
>>> format directly<br>
>>> >>>>>> using the KeyStore API. Without the need to convert<br>
>>> them to PKCS#12/JKS.<br>
>>> >>>>>><br>
>>> >>>>>> You can find my implementation of a PEM KeyStore in<br>
>>> >>>>>><br>
>>> <a href="https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools__;!!ACWV5N9M2RV99hQ!Oty2x6ce8fseqwbwEZ1eFN9xJCtVxU8aUXn1GXt81SA1JkTeB9GSykdwShzJKOFYUAA1oUtLGaX1kmZV984WRsO-8KQq5dw$">
https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools__;!!ACWV5N9M2RV99hQ!Oty2x6ce8fseqwbwEZ1eFN9xJCtVxU8aUXn1GXt81SA1JkTeB9GSykdwShzJKOFYUAA1oUtLGaX1kmZV984WRsO-8KQq5dw$</a> <<a href="https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools__;!!ACWV5N9M2RV99hQ!Oty2x6ce8fseqwbwEZ1eFN9xJCtVxU8aUXn1GXt81SA1JkTeB9GSykdwShzJKOFYUAA1oUtLGaX1kmZV984WRsO-8KQq5dw$">https://urldefense.com/v3/__https://github.com/KarlScheibelhofer/java-crypto-tools__;!!ACWV5N9M2RV99hQ!Oty2x6ce8fseqwbwEZ1eFN9xJCtVxU8aUXn1GXt81SA1JkTeB9GSykdwShzJKOFYUAA1oUtLGaX1kmZV984WRsO-8KQq5dw$</a>>
.<br>
>>> >>>>>><br>
>>> >>>>>> I wondered if it would make sense to integrate such an<br>
>>> implementation<br>
>>> >>>>>> in one of the standard providers of OpenJDK - like the<br>
>>> SUN provider.<br>
>>> >>>>>> What do you think?<br>
>>> >>>>>><br>
>>> >>>>>> Best regards<br>
>>> >>>>>><br>
>>> >>>>>> Karl<br>
>>><br>
>><br>
> <br>
</div>
</span></font></div>
</body>
</html>