Please take a preliminary review at
https://cr.openjdk.java.net/~weijun/8162628/webrev.00
There is no test yet. I mainly want you to see if this is doable and whether
there can be any unexpected compatibility impact.
So, the major points are:
1. Invent a new KeyStore type named "PEM", which is a stack of PEM-format
certificates. It only support X.509 certificates and is read-only (at the
moment).
2. Migrate lib/security/cacerts to this format.
Some details:
1. JKS/PKCS12/PEM is now aliases to each other, which means you can load a
PKCS12 keystore using KeyStore.getInstance("pem"). This is an expansion of the
former JKS/PKCS12 dual type.
2. PEM supports engineProbe(), and returns true as long as the first 5 bytes
are readable ASCII. This is because people might put comment before "-----BEGIN
CERT-----".
3. @attr can be added into comment as attributes in the comment area. cacerts
will contain "@alias: aliasname". I'm still using the "[jdk]" label in the
alias for jdkCA recognition.
Thanks,
Max
