Extending KeyStore.PasswordProtection works well for keys and for certs.
To retain its immutability, a new constructor that takes the PBE
algorithm name and a new getter could be added.
Thanks.
On 01/10/2012 20:03, Michael StJohns wrote:
At 02:17 PM 10/1/2012, Vincent Ryan wrote:
We could examine a mechansim for keystore applications to override the default
PBE algorithm for protecting keys and certs.
Maybe extend KeyStore.LoadStoreParameter?
So don't change the PKCS12 instance type, instead deal with this on an entry by
entry basis? Makes sense.
Probably the right change is to extend KeyStore.PasswordProtection, and allow
the user to provide a different algorithm per entry? If you are loading, you
can use KeyStore.PasswordProtection, and it takes the algorithm from the entry
info. If you are storing, and you don't specify the algorithm, you get the
default (perhaps specified in java.security props file next to the keystore
default type?)
Mike
Mike
On 1 Oct 2012, at 18:50, Michael StJohns wrote:
My main reason for suggesting this is that the all but one of the algorithm
suites defined in PKCS12 are either deprecated or prohibited by NIST guidance.
The undeprecated suite appears to be the default one used by the java
implementation. It would be nice to have a choice.
See below.
At 12:51 PM 10/1/2012, Vincent Ryan wrote:
Hello Mike,
The new PBE algorithms in JEP-121, such as PBEWithHmacSHA256AndAES_128, could
certainly be used
for PKCS12 keystores within Java environments - the problem is maintaining
interoperability with existing
crypto toolkits and web browsers.
Yup - but someone has to be first.... :-)
Mike
Is there any interest among those on this list in promoting wider support for
these PBE algorithms?
Thanks.
On 1 Oct 2012, at 17:06, Michael StJohns wrote:
At 08:27 PM 9/28/2012, [email protected] wrote:
Posted: http://openjdk.java.net/jeps/166
- Mark
This seems at least partially related to JEP 121 and maybe even dependent on
it. Might be useful to have a cross reference. Also, probably useful to
decide/state a new default PKCS12 algorithm? E.g. maybe
PBEwithSHA256andAES-128?
Mike
