Fwd: My current jdk12 changes
Sean Mullan
sean.mullan at oracle.com
Fri Dec 7 22:06:22 UTC 2018
On 12/6/18 8:27 AM, Weijun Wang wrote:
> Hi All
>
> Currently, I have 4 code changes out for review and I wish they can make JDK 12 (RDP1 is 12/13)
>
> 8076190: Customizing the generation of a PKCS12 keystore
> https://cr.openjdk.java.net/~weijun/8076190/webrev.05/
* java.security
1124 # file. This can be any HmacPBE algorithm defined in the Mac
section of the
1125 # Java Security Standard Algorithm Names Specification. When set to
"NONE",
1126 # no Mac is generated. The default value is "HmacPBESHA1".
These "HmacPBE" algorithms are not defined in the Standard Algorithm
Names Specification. Make sure you file a follow-on bug to add them, if
you don't fix it as part of this.
1073 # parameter used to generate the existing Mac will be reused. If
the existing
Should that be "parameters"?
1085 # "keystore.pkcs12.keyPbeIterationCount" values define here.
Typo: defined
1123 # The algorithm used to calculated the optional MacData at the end
of a PKCS12
Typo: calculate
* PKCS12KeyStore.java
84 * Currently these PBE algorithms are used by default:
85 * - pbeWithSHAAnd3KeyTripleDESCBC to encrypt private keys
86 * - pbeWithSHAAnd40BitRC2CBC to encrypt certificates
I'd use the standard names here: PBEWithSHA1AndDESede,
PBEWithSHA1AndRC2_40. Also, can you add the default Mac algorithm?
221 int number = Integer.parseInt(result);
I suggest catching NumberFormatException and throwing a more informative
exception such as on lines 223-224. Also, you may want to parse the
String into an int later, when (or if) the properties are used. That
would be more consistent with what the definitions in java.security says
about the properties.
936 * EncryptedPrivateKeyInfo
extra space before "*".
2020 certProtectionAlgorithm = CERT_PROTECTION_ALGORITHM;
2021 certPbeIterationCount = CERT_PBE_ITERATION_COUNT;
2022 macAlgorithm = MAC_ALGORITHM;
These algorithms could be set to "". Is that ok, are they rejected
cleanly at some later point?
--Sean
More information about the security-dev
mailing list