Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8233405

System property to set the number of PBE iterations in JCEKS keystores

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 14
    • security-libs
    • None
    • behavioral
    • minimal
    • The compatibility risk is minimal because the default value (when the new system/security property is not set) remains the same than before (200000).
    • System or security property
    • JDK

      Summary

      A new system and security property (jdk.jceks.iterationCount) is introduced to set the number of password-based encryption (PBE) iterations in JCEKS keystores.

      Problem

      The number of PBE iterations in JCEKS keystores is currently fixed to 200000 and there is not enough flexibility for the user to set a different value.

      Solution

      Provide more flexibility to the user by allowing the number of PBE iterations for JCEKS keystores to be set through a system or a security property (jdk.jceks.iterationCount).

      Specification

      The system and security property name is jdk.jceks.iterationCount.

      Values in the range 10000 to 5000000 are considered valid. If the value is out of this range, or is not a number, or is unspecified; a default value of 200000 is used. The default value corresponds to the fixed value previous to this enhancement, preserving backward compatibility and minimizing the risk associated to this change.

      Property documentation will be available in java.security file.

      Note: PKCS12 keystores are recommended for new implementations, instead of JCEKS keytores. The intention of this change is supporting existing use-cases until migration.

            mbalao Martin Balao Alonso
            mbalao Martin Balao Alonso
            Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: