> On Oct 10, 2018, at 1:07 AM, Martin Buchholz <marti...@google.com> wrote:
>
> Seems alright to this non-crypto expert.
>
> The key thing I would like to see working is:
>
> If I create a keystore for cacerts and then use it via -with-cacerts-file
> taking the defaults, this results in goodness (which presumably means not
> getting JKS keystore)
I haven't tried this configure option before, but does it mean just copy your
own file to lib/security/cacerts?
Then you need to make it correct, i.e. a JKS file, or a password-less pkcs12
file, or with-password pkcs12 but you set the correct storepass (TLS system
property?).
>
> Make sure keystore creators don't have to specify a storepass.
If you want to create a password-less pkcs12 file, you will need to specify
those system properties (certProtectionAlgorithm and macAlgorithm to NONE).
Then I'll make sure there is no need to specify a storepass.
Thanks
Max
>
> On Mon, Oct 8, 2018 at 8:26 AM, Weijun Wang <weijun.w...@oracle.com> wrote:
> CSR updated. Please take a review.
>
> https://bugs.openjdk.java.net/browse/JDK-8202590
>
> A slightly updated webrev at
>
> https://cr.openjdk.java.net/~weijun/8076190/webrev.05
>
> Thanks
> Max
>
> > On Oct 3, 2018, at 12:51 AM, Sean Mullan <sean.mul...@oracle.com> wrote:
> >
> > On 10/1/18 8:02 PM, Weijun Wang wrote:
> >>
> >>
> >>> On Oct 2, 2018, at 2:49 AM, Sean Mullan <sean.mul...@oracle.com> wrote:
> >>>
> >>> Looks good. After you update the CSR with these changes, I can review it.
> >>
> >> Sure.
> >>
> >> How do you think of the following change? Shall I also add it?
> >
> > Yes.
> >>
> >> diff --git a/src/java.base/share/classes/java/security/KeyStore.java
> >> b/src/java.base/share/classes/java/security/KeyStore.java
> >> --- a/src/java.base/share/classes/java/security/KeyStore.java
> >> +++ b/src/java.base/share/classes/java/security/KeyStore.java
> >> @@ -318,7 +318,7 @@
> >> * for a given keystore type is set using the
> >> * {@code 'keystore.<type>.keyProtectionAlgorithm'} security
> >> property.
> >> * For example, the
> >> - * {@code keystore.PKCS12.keyProtectionAlgorithm} property stores
> >> the
> >> + * {@code keystore.pkcs12.keyProtectionAlgorithm} property stores
> >> the
> >> * name of the default key protection algorithm used for PKCS12
> >> * keystores. If the security property is not set, an
> >> * implementation-specific algorithm will be used.
> >>
> >> Shall I add some word to this method saying we should use lowercase or are
> >> we going to live with this lower+UPPER for every keystore type forever?
> > No. Let's just continue to check in the code for both variants of the above
> > property, but remove all references to the upper-case variant from the
> > javadocs and java.security file.
> >
> > --Sean
> >>
> >> If yes, there will also be some text for its compatibility risk.
> >>
> >> Thanks
> >> Max
> >>
> >>>
> >>> --Sean
> >>>
> >>> On 9/28/18 9:36 AM, Weijun Wang wrote:
> >>>> Webrev updated at
> >>>> http://cr.openjdk.java.net/~weijun/8076190/webrev.04/
> >>>> Major changes:
> >>>> 1. Comment out key=value lines in java.security
> >>>> 2. Fix a bug in PBES2Parameters.java
> >>>> 3. Test no longer depends on openssl. Instead, use openssl to generate
> >>>> some pkcs12 files and included in the test.
> >>>> 4. A new test KeyProtAlgCompat.java to ensure compatibility on
> >>>> pkcs12/PKCS12 names
> >>>> I haven't made any change to KeyStore.java yet. CSR is also not updated.
> >>>> Thanks
> >>>> Max
> >>
> >>
>
>
