-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
low
-
-
File or wire format
-
SE
Summary
When calling KeyStore.store(outStream, password)
on a PKCS12 KeyStore with a null password, store it as a password-less PKCS12 file where certificates are not encrypted and no MacData is added for integrity protection.
Problem
It's not easy to create a password-less PKCS12 KeyStore. One has to modify the java.security file or set certain system properties. It's also impossible to save an existing non password-less PKCS12 keystore as a password-less PKCS12 keystore (in a different file).
Solution
When calling KeyStore.store(outStream, password)
on a PKCS12 KeyStore with a null password, store it as a password-less PKCS12 file no matter if the original keystore is password-less or not, or whatever system and security properties are set.
Specification
Make these clarifications in src/java.base/share/classes/java/security/KeyStore.java
.
The class spec:
@@ -170,6 +172,17 @@
+ * <p> Several methods such as {@code store} and {@code setKeyEntry} take
+ * a password parameter that is commonly used to provide protection such
+ * as an integrity check on the keystore or encryption of a key entry.
+ * However, this behavior is optional and implementation-specific.
+ * If a keystore type does not support or require these features,
+ * a {@code null} password can be provided to these methods.
+ * For example, if {@code setKeyEntry()} is called with a {@code null}
+ * password to store a key unprotected, the entry can be then extracted
+ * by {@code getKey()} with a {@code null} password.
The method spec:
/*
* ....
- * @param password the password to generate the keystore integrity check
+ * @param password the password to generate the keystore integrity check.
+ * May be {@code null} if the keystore does not support
+ * or require an integrity check.
* ....
*/
public final void store(OutputStream stream, char[] password)
throws KeyStoreException, IOException, NoSuchAlgorithmException,
CertificateException;
Same words added to the engineStore(OutputStream stream, char[] password)
method of src/java.base/share/classes/java/security/KeyStoreSpi.java
.
- csr of
-
JDK-8231107 Allow store password to be null when saving a PKCS12 KeyStore
- Resolved
- links to
-
Review openjdk/jdk/5950