Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
      None

      Description

      1. Introduction

      The Java platform supports a variety of keystore types.
      For many years the default keystore type was JKS, now it is PKCS12.
      PKCS12 keystores offer improved security and interoperability.

      By default, new keystores will be created in the PKCS#12 format.
      Existing keystores retain the keystore type that they were created with.


      2. Specification

      The default keystore type is specified by the following property in the
      $JRE/lib/security/java.security file:

          keystore.type

      In JDK 9 it is set to "pkcs12". Previously it was set to "jks".

      To prevent problems for applications that access keystores using
      the default keystore type, a detector mechanism has been introduced.
      This mechanism ensures that the correct keystore type is used,
      regardless of the keystore type supplied by the calling application.
      Currently, it detects only JKS and PKCS12 keystores.

      A new security property is introduced to control the keystore type detector:

          keystore.type.detector

      In JDK 9 it is set to "jks,pkcs12".

      Applications that need to disable the detector mechanism for a specific
      keystore type shall omit that type from the security property setting.


      3. Implementation

      Implement a keystore type detector for JKS and PKCS12 keystores.

      The java.security.KeyStore class has been enhanced to detect the correct
      keystore type regardless of the keystore type supplied by the caller.
      Currently, only JKS and PKCS12 keystore types are detected.


      4. Issues

      Passwordless access is supported for JKS keystores but not for PKCS12 keystores.

        Attachments

          Activity

            People

            Assignee:
            vinnie Vincent Ryan
            Reporter:
            vinnie Vincent Ryan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: