-
CSR
-
Resolution: Approved
-
P4
-
None
-
behavioral
-
minimal
-
The compatibility risk is minimal because the default value (when the new system/security property is not set) remains the same than before (200000).
-
System or security property
-
JDK
Summary
A new system and security property (jdk.jceks.iterationCount) is introduced to set the number of password-based encryption (PBE) iterations in JCEKS keystores.
Problem
The number of PBE iterations in JCEKS keystores is currently fixed to 200000 and there is not enough flexibility for the user to set a different value.
Solution
Provide more flexibility to the user by allowing the number of PBE iterations for JCEKS keystores to be set through a system or a security property (jdk.jceks.iterationCount).
Specification
The system and security property name is jdk.jceks.iterationCount.
Values in the range 10000 to 5000000 are considered valid. If the value is out of this range, or is not a number, or is unspecified; a default value of 200000 is used. The default value corresponds to the fixed value previous to this enhancement, preserving backward compatibility and minimizing the risk associated to this change.
Property documentation will be available in java.security file.
Note: PKCS12 keystores are recommended for new implementations, instead of JCEKS keytores. The intention of this change is supporting existing use-cases until migration.
- csr of
-
JDK-8233404 System property to set the number of PBE iterations in JCEKS keystores
- Resolved