Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

> On Dec 15, 2018, at 5:09 AM, Sean Mullan wrote: > > On 12/12/18 10:57 AM, Weijun Wang wrote: >> Thanks. Will you please also take a look at the release note >> athttps://bugs.openjdk.java.net/browse/JDK-8215293? > > I'm not sure about including the second sentence: "In particular, the > a

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

On 12/12/18 10:57 AM, Weijun Wang wrote: Thanks. Will you please also take a look at the release note athttps://bugs.openjdk.java.net/browse/JDK-8215293? I'm not sure about including the second sentence: "In particular, the algorithm for certificate protection and MacData can be set to "NONE"

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Thanks. Will you please also take a look at the release note at https://bugs.openjdk.java.net/browse/JDK-8215293? --Max > On Dec 12, 2018, at 11:01 PM, Sean Mullan wrote: > > Looks good. > > --Sean > > On 12/12/18 9:40 AM, Weijun Wang wrote: >> The latest webrev is at >>https://cr.openjd

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Looks good. --Sean On 12/12/18 9:40 AM, Weijun Wang wrote: The latest webrev is at https://cr.openjdk.java.net/~weijun/8076190/webrev.07 The major change since webrev.05 is that the properties are no longer read into static fields, they are read on-demand. This means they will never be r

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

The latest webrev is at https://cr.openjdk.java.net/~weijun/8076190/webrev.07 The major change since webrev.05 is that the properties are no longer read into static fields, they are read on-demand. This means they will never be read if store() is not called. I've also added more test cases.

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

On Wed, Oct 10, 2018 at 3:10 AM, Weijun Wang wrote: > > > > On Oct 10, 2018, at 1:07 AM, Martin Buchholz > wrote: > > > > Seems alright to this non-crypto expert. > > > > The key thing I would like to see working is: > > > > If I create a keystore for cacerts and then use it via > -with-cacerts-

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

> On Oct 10, 2018, at 1:07 AM, Martin Buchholz wrote: > > Seems alright to this non-crypto expert. > > The key thing I would like to see working is: > > If I create a keystore for cacerts and then use it via -with-cacerts-file > taking the defaults, this results in goodness (which presumabl

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Seems alright to this non-crypto expert. The key thing I would like to see working is: If I create a keystore for cacerts and then use it via -with-cacerts-file taking the defaults, this results in goodness (which presumably means not getting JKS keystore) Make sure keystore creators don't have

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

The PKCS12KeyStore implementation only stores the decrypted certificate, but the major reason is that we want a password-less keystore to remain password-less without any property setting, so the newly added certificate must be stored the same way as the last existing certificate, and I think it

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

On 10/8/18 11:26 AM, Weijun Wang wrote: CSR updated. Please take a review. https://bugs.openjdk.java.net/browse/JDK-8202590 # ... If there # is at least one certificate in the existing keystore, the algorithm and # parameter used to encrypt the last certificate in the existing keystore wi

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

CSR updated. Please take a review. https://bugs.openjdk.java.net/browse/JDK-8202590 A slightly updated webrev at https://cr.openjdk.java.net/~weijun/8076190/webrev.05 Thanks Max > On Oct 3, 2018, at 12:51 AM, Sean Mullan wrote: > > On 10/1/18 8:02 PM, Weijun Wang wrote: >> >> >>> On

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

On 10/1/18 8:02 PM, Weijun Wang wrote: On Oct 2, 2018, at 2:49 AM, Sean Mullan > wrote: Looks good. After you update the CSR with these changes, I can review it. Sure. How do you think of the following change? Shall I also add it? Yes. *diff --git a/src/j

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

> On Oct 2, 2018, at 2:49 AM, Sean Mullan wrote: > > Looks good. After you update the CSR with these changes, I can review it. Sure. How do you think of the following change? Shall I also add it? diff --git a/src/java.base/share/classes/java/security/KeyStore.java b/src/java.base/share/clas

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Looks good. After you update the CSR with these changes, I can review it. --Sean On 9/28/18 9:36 AM, Weijun Wang wrote: Webrev updated at http://cr.openjdk.java.net/~weijun/8076190/webrev.04/ Major changes: 1. Comment out key=value lines in java.security 2. Fix a bug in PBES2Parameters.j

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Webrev updated at http://cr.openjdk.java.net/~weijun/8076190/webrev.04/ Major changes: 1. Comment out key=value lines in java.security 2. Fix a bug in PBES2Parameters.java 3. Test no longer depends on openssl. Instead, use openssl to generate some pkcs12 files and included in the test. 4. A

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

I think commenting out the key=value lines in java.security will ensure compatibility. Also, I think it's a tiny bug between 1. KeyStore.java uses "keystore.PKCS12.keyProtectionAlgorithm" 2. PKCS12KeyStore searches for "keystore.pkcs12.keyProtectionAlgorithm" first and "keystore.PKCS12.keyProte

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

The keystore.pkcs12.keyProtectionAlgorithm property was introduced in JDK 8. I don't think there are many apps using it. Thus, I would make a decision on what you think the best solution is long-term and then make sure you document any compatibility issues in the CSR and release note. My mai

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Thinking about this more and there is a small problem. Suppose a user is already using PKCS12. Since it was a security property, there are 2 ways to use it: 1. Set it in java.security. Now the user is using JDK 12 and in java.security there is an existing keystore.pkcs12.keyProtectionAlgorithm.

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

It seems odd to support both. Once we put that into the code it’s very hard to take out in case someone is depending on it. So for the new properties I would just support one variant. > On Sep 27, 2018, at 10:23 AM, Weijun Wang wrote: > > Oh, I didn't know it was specified in > KeyStore.Pass

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Oh, I didn't know it was specified in KeyStore.PasswordProtection.getProtectionAlgorithm(). I'll need to rework on webrev.04. As for pkcs12 or PKCS12, do we really need to treat old and new properties differently? I would document them in java.security with pkcs12 but support reading both. --

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

On 9/27/18 1:58 AM, Weijun Wang wrote: All others accepted. 1122 keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40 Shouldn't this be named certPbeAlgorithm so that it matches certPbeIterationCount? Same comment about keyProtectionAlgorithm. Unfortunately we already had "keystor

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Webrev updated at http://cr.openjdk.java.net/~weijun/8076190/webrev.04/. Thanks Max > On Sep 27, 2018, at 1:58 PM, Weijun Wang wrote: > > All others accepted. > >> 1122 keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40 >> >> Shouldn't this be named certPbeAlgorithm so that it mat

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

All others accepted. > 1122 keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40 > > Shouldn't this be named certPbeAlgorithm so that it matches > certPbeIterationCount? Same comment about keyProtectionAlgorithm. Unfortunately we already had "keystore.pkcs12.keyProtectionAlgorithm" an

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Update is looking good, just a few more comments ... * java.security 1066 # The following parameters, if configured, are used by the PKCS12 KeyStore 1067 # implementation during the creation of a new keystore. Several of the 1068 # properties may also be used when modifying an existing keystor

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

Webrev updated at http://cr.openjdk.java.net/~weijun/8076190/webrev.03/. Mostly spec changes. The test is enhanced a little to check for macAlg interop. > On Sep 24, 2018, at 11:15 PM, Sean Mullan wrote: > > Right, I understand their usage and the properties are well documented. My > comment i

Re: RFR 8076190: Customizing the generation of a PKCS12 keystore

On 9/23/18 9:42 AM, Weijun Wang wrote: On Sep 22, 2018, at 2:49 AM, Sean Mullan wrote: Still reviewing but here are some initial comments. It seems this is more than a fix for JDK-8076190. It also adds configuration properties for the PKCS12 algorithms. I think you should expand the scope/de