Hi all, Thanks Dejan for bringing this up. Relaxing this constraint seems reasonable to me. I guess we would have to relax it for the keystores at some point in the future as well (with Java 18).
Let's wait a few days to see what others think about this. Best, David On Wed, Mar 23, 2022 at 8:46 PM Ismael Juma <ism...@juma.me.uk> wrote: > > Hi Rajini, > > On Mon, Mar 21, 2022 at 10:02 AM Rajini Sivaram <rajinisiva...@gmail.com> > wrote: > > > For the background on the current implementation: We use Java's keystore > > loading for JKS/PKCS12 keystore files and these files require passwords. We > > > > In Java 18: > > "Passwordless keystores (a keystore with no password required to unlock it) > are useful when the keystore is stored in a secure location and is only > intended to store non-sensitive information, such as public X.509 > certificates. With a passwordless PKCS12 keystore, certificates are not > encrypted and there is no Mac applied as an integrity check is not > necessary. > > Prior to this change, creating a passwordless PKCS12 keystore was > difficult, and required setting various security properties. Now, a > passwordless PKCS12 keystore can be created by simply specifying a null > password to the KeyStore::store(outStream, password) API. The keystore can > then be loaded with a null (or any) password with the KeyStore::load() API. > > Issue: JDK-8231107" > > https://seanjmullan.org/blog/2022/03/23/jdk18 > > Ismael