Am 2019-08-13 um 18:23 schrieb Weijun Wang:
Please take a preliminary review athttps://cr.openjdk.java.net/~weijun/8162628/webrev.00 There is no test yet. I mainly want you to see if this is doable and whether there can be any unexpected compatibility impact. So, the major points are: 1. Invent a new KeyStore type named "PEM", which is a stack of PEM-format certificates. It only support X.509 certificates and is read-only (at the moment). 2. Migrate lib/security/cacerts to this format. Some details: 1. JKS/PKCS12/PEM is now aliases to each other, which means you can load a PKCS12 keystore using KeyStore.getInstance("pem"). This is an expansion of the former JKS/PKCS12 dual type. 2. PEM supports engineProbe(), and returns true as long as the first 5 bytes are readable ASCII. This is because people might put comment before "-----BEGIN CERT-----". 3. @attr can be added into comment as attributes in the comment area. cacerts will contain "@alias: aliasname". I'm still using the "[jdk]" label in the alias for jdkCA recognition.
Thanks, that's awesome. I will have a look. Some questions upfront: 1. How did you manage to assign virtual aliases? The PEM format does not have any. 2. I have a PKCS12 keystore issued by our CA with a public cert and a private key in it. I can export it with openssl(1) into single PEM file and feed it to curl with OpenSSL binding. Does this work too? Regards, Michael
