On 9/27/18 1:58 AM, Weijun Wang wrote:
All others accepted.
1122 keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
Shouldn't this be named certPbeAlgorithm so that it matches
certPbeIterationCount? Same comment about keyProtectionAlgorithm.
Unfortunately we already had "keystore.pkcs12.keyProtectionAlgorithm" and it also accepts "PKCS12".
Ah, I see - I forgot about that property.
See
http://cr.openjdk.java.net/~weijun/8076190/webrev.03/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java-.html:
147 private static final String[] KEY_PROTECTION_ALGORITHM = {
148 "keystore.pkcs12.keyProtectionAlgorithm",
149 "keystore.PKCS12.keyProtectionAlgorithm"
150 };
But you are right the names are not consistent and supporting both "pkcs12" and "PKCS12"
is awkward (and cannot make use of the new SecurityProperties::privilegedGetOverridable method). Now I decide
to name the new properties as (key|cert)PbeAlgorithm names with only "pkcs12", and only support the
old names as a fallback.
Hmm, but this means we have to support 2 properties meaning the same
thing, and the KeyStore.PasswordProtection.getProtectionAlgorithm() is
already specified to use the keystore.<type>.keyProtectionAlgorithm
property. Based on that, I take back my comment, and I think it would be
better to retain the existing property instead of defining another one
with the same meaning. I don't like having to try to get the properties
with "pkcs12" and "PKCS12", but it seems we could live with that since
we have been doing it and we only need to do this for the existing
properties - we could assume "pkcs12" for all of the new ones.
--Sean
