Details
-
JEP
-
Resolution: Delivered
-
P2
-
Vincent Ryan
-
Feature
-
Open
-
SE
-
-
M
-
M
-
229
Description
Summary
Transition the default keystore type from JKS to PKCS12.
Goals
Improve security. PKCS12 offers stronger cryptographic algorithms than JKS.
Maintain forward and backward compatibility. Applications that access JKS and PKCS12 keystores must continue to function across JDK releases.
Motivation
JKS is a custom, JDK-specific keystore type. It has been the default keystore type for the Java platform since JDK 1.2. JKS keystores can only store private keys and trusted public-key certificates, and they are based on a proprietary format that is not easily extensible to new cryptographic algorithms.
PKCS12 is an extensible, standard, and widely-supported format for storing cryptographic keys. As of JDK 8, PKCS12 keystores can store private keys, trusted public key certificates, and secret keys. Switching to PKCS12 improves keystore integrity and confidentiality. It also opens opportunities for interoperability with other systems that also support PKCS12.
Description
This feature changes the default keystore type from JKS to PKCS12. By default, new keystores will be created in the PKCS12 keystore format. Existing keystores will not change and keystore applications can continue to explicitly specify the keystore type they require.
Existing applications must not be disrupted. Keystores tend to be long-lived, so we need to support access across several JDK releases. Applications that access keystores created by earlier JDK releases must run unaltered on JDK 9. Similarly, applications that access keystores created by JDK 9 should run unaltered on earlier JDK releases.
This requirement is achieved by introducing a keystore detection mechanism that understands both the JKS and PKCS12 formats. A keystore's format is examined before it is loaded to determine its type and then the appropriate keystore implementation is used to access it. The mechanism is enabled by default but can be disabled if required.
Support for this keystore-detection mechanism may be backported to earlier JDK releases.
Testing
Significant testing is required across JDK releases to ensure that compatibility is maintained for applications that access keystores.
Attachments
Issue Links
- relates to
-
JDK-8072578 ProbeKeystores.java creates files in test.src
-
- Closed
-
-
JDK-8062552 Support keystore type detection for JKS and PKCS12 keystores
-
- Closed
-
-
JDK-8069277 Doclint regression in java/security/KeyStore.java
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
1.
|
Design and Implementation |
|
Resolved | Vincent Ryan | |
2.
|
Keystore type detector |
|
Resolved | Vincent Ryan | |
3.
|
Compatibility Testing |
|
Resolved | Vincent Ryan | 2014-11-14 |
4.
|
Test Task: Update existing tests for JEP 229 Create PKCS12 Keystores by Default |
|
Closed | Tim Du (Inactive) | |
5.
|
Test Task: Develop new tests for JEP 229 Create PKCS12 Keystores by Default |
|
Resolved | Tim Du (Inactive) | 2015-02-20 |
6.
|
Release Note: Change in the default keystore type to PKCS12 |
|
Closed | Vincent Ryan |