[8u] request for review: 8062552 Support keystore type detection for JKS and PKCS12 keystores

Thomas Lußnig openjdk at suche.org
Sat May 23 21:57:17 UTC 2015


On 23.05.2015 10:59, Vincent Ryan wrote:
> The aim of this enhancement is to address a specific compatibility risk for JKS and
> not to offer a general purpose mechanism for loading any keystore type. In general,
> the keystore type should match the keystore file format.
>
> In JDK 9 there is a new probe mechanism for keystores that is more similar to
> what you are proposing. The advantage of that mechanism is that the keystore
> type will exactly match the keystore file format.
When there is already an new probe mechanism for keystore detetion, why
do not backport/use it ?
Why build this limited version for one single usecase instead of using
the more gerneral solution ?
>
>> On 23 May 2015, at 09:42, Thomas Lußnig <openjdk at suche.org> wrote:
>>
>> Hi,
>>
>> 1) Would it not be an good idea to check the first bytes of the message
>> so that the dual class already know what type the stream is
>> and there is no unnecessary instanciation of exceptions and engine class?
>> 2) If we add an "smart" keystore why we limit it to two types? I do not
>> see any reason why it should not be possible to add other store types to:
>> - JCEKS
>> - PKCS11
>> It could be extended via securit property
>> java.security.smartKeystore.<N>.type = PKCS11
>> java.security.smartKeystore.<N>.magic = <HexSequence> (Optional for
>> Performance)
>> java.security.smartKeystore.<N>.engineClass = CanonicalEngine Class Name
>>
>> This would be only an small code change but an usefull improvement.
>>
>> Gruß Thomas
>>
>>
>> On 22.05.2015 22:01, Sean Mullan wrote:
>>> Looks fine to me.
>>>
>>> --Sean
>>>
>>> On 05/22/2015 03:10 PM, Vincent Ryan wrote:
>>>> Thanks Thomas and Sean for your review comments.
>>>>
>>>> KeyStoreDelegator matches the JDK 9 version. I’ve moved it to the
>>>> sun.security.package and modified it as suggested.
>>>> I also made JavaKeyStore package-private but DualFormatJKS needs to
>>>> remain public.
>>>> The cert in trusted.pem is an arbitrary X.509 cert and I’ve added a
>>>> comment in the TestKeystoreCompat test.
>>>>
>>>> A new webrev is available at:
>>>> http://cr.openjdk.java.net/~vinnie/8062552/webrev.02/



More information about the security-dev mailing list