Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8274913

Change default pkcs12 certpbe algorithm to NONE

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Open
    • Priority: P4
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
      None

      Description

      One major difference between JKS and PKCS12 keystores generated by Java is that JKS contains plaintext certificates but PKCS12 has them encrypted. This has been the major obstacle to fully switch from JKS to PKCS12, especially for the cacerts file where it's all public info and there is no benefit encrypting the certificates and then publicize the password to the whole world. This enhancement proposes changing the default pbecert algorithm to NONE (Precisely, keystore.pkcs12.certProtectionAlgorithm in java.security). This means for newly created pkcs12 files, 1) keys still protected by individual passwords. 2) certs in plaintext, and 3) MacData for integrity check. This would align pkcs12 with the same feature as JKS and make it more friendly to deal with pkcs12 files with the KeyStore API.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: