[8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms (original) (raw)

Weijun Wang weijun.wang at oracle.com
Sat Jan 19 13:07:01 UTC 2013

• Previous message (by thread): [8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms
• Next message (by thread): [8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 19, 2013, at 20:24, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:

On 19/01/2013 09:43, Weijun Wang wrote: Also, although we haven't standardized the keystore types, there is still a possibility that different providers using the same storetype name. How can we ensure everyone honoring the security property?

If another JCE provider uses the same keystore type name for their implementation as an existing keystore type name then the same default entry protection algorithm would apply to both. I don't think that's a problem. If it became an issue then we could consider making the security property multi-valued and rely on ordering to distinguish been keystore implementations that employ the same keystore type. Max On Jan 19, 2013, at 17:28, Weijun Wang <weijun.wang at oracle.com_ _<mailto:weijun.wang at oracle.com>> wrote:

+ /** + * Gets the name of the protection algorithm. + * If none was set then the default algorithm name is returned. + * The default algorithm name for a given keystore type is set using the + * {@code 'keystore..entryProtectionAlgorithm'} Security property. + * For example, the + * {@code keystore.PKCS12.entryProtectionAlgorithm} property stores the + * name of the default entry protection algorithm used for PKCS12 + * keystores. + * I didn't see the security property used in the pkcs12 codes. Right. I need to update the keystore code to support that.

And probably also the description and example line to java.security file.

Max

Thanks.

-Max On Jan 19, 2013, at 3:53, Vincent Ryan <vincent.x.ryan at oracle.com_ _<mailto:vincent.x.ryan at oracle.com>> wrote:

Hello,

Please review the fix for 8006591. It introduces a mechanism to enable stronger PBE algorithms to be specified when encrypting a keystore entry. This allows developers to make use of the new PBE algorithms delivered in JEP-121. Note however that PKCS12 is currently the only keystore that supports this new feature. It is a component of the JEP-166 delivery. Webrev: http://cr.openjdk.java.net/~vinnie/8006591/webrev.00/ Thanks.

• Previous message (by thread): [8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms
• Next message (by thread): [8] Code review request for 8006591: Protect keystore entries using stronger PBE algorithms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the security-dev mailing list