Details
-
Sub-task
-
Resolution: Fixed
-
P3
-
None
-
None
-
b45
Description
1. Introduction
The Java platform supports a variety of keystore types.
For many years the default keystore type was JKS, now it is PKCS12.
PKCS12 keystores offer improved security and interoperability.
By default, new keystores will be created in the PKCS#12 format.
Existing keystores retain the keystore type that they were created with.
2. Specification
The default keystore type is specified by the following property in the
$JRE/lib/security/java.security file:
keystore.type
In JDK 9 it is set to "pkcs12". Previously it was set to "jks".
To prevent problems for applications that access keystores using
the default keystore type, a detector mechanism has been introduced.
This mechanism ensures that the correct keystore type is used,
regardless of the keystore type supplied by the calling application.
Currently, it detects only JKS and PKCS12 keystores.
A new security property is introduced to control the keystore type detector:
keystore.type.detector
In JDK 9 it is set to "jks,pkcs12".
Applications that need to disable the detector mechanism for a specific
keystore type shall omit that type from the security property setting.
3. Implementation
Implement a keystore type detector for JKS and PKCS12 keystores.
The java.security.KeyStore class has been enhanced to detect the correct
keystore type regardless of the keystore type supplied by the caller.
Currently, only JKS and PKCS12 keystore types are detected.
4. Issues
Passwordless access is supported for JKS keystores but not for PKCS12 keystores.
The Java platform supports a variety of keystore types.
For many years the default keystore type was JKS, now it is PKCS12.
PKCS12 keystores offer improved security and interoperability.
By default, new keystores will be created in the PKCS#12 format.
Existing keystores retain the keystore type that they were created with.
2. Specification
The default keystore type is specified by the following property in the
$JRE/lib/security/java.security file:
keystore.type
In JDK 9 it is set to "pkcs12". Previously it was set to "jks".
To prevent problems for applications that access keystores using
the default keystore type, a detector mechanism has been introduced.
This mechanism ensures that the correct keystore type is used,
regardless of the keystore type supplied by the calling application.
Currently, it detects only JKS and PKCS12 keystores.
A new security property is introduced to control the keystore type detector:
keystore.type.detector
In JDK 9 it is set to "jks,pkcs12".
Applications that need to disable the detector mechanism for a specific
keystore type shall omit that type from the security property setting.
3. Implementation
Implement a keystore type detector for JKS and PKCS12 keystores.
The java.security.KeyStore class has been enhanced to detect the correct
keystore type regardless of the keystore type supplied by the caller.
Currently, only JKS and PKCS12 keystore types are detected.
4. Issues
Passwordless access is supported for JKS keystores but not for PKCS12 keystores.