Seems alright to this non-crypto expert. The key thing I would like to see working is:
If I create a keystore for cacerts and then use it via -with-cacerts-file taking the defaults, this results in goodness (which presumably means not getting JKS keystore) Make sure keystore creators don't have to specify a storepass. On Mon, Oct 8, 2018 at 8:26 AM, Weijun Wang <weijun.w...@oracle.com> wrote: > CSR updated. Please take a review. > > https://bugs.openjdk.java.net/browse/JDK-8202590 > > A slightly updated webrev at > > https://cr.openjdk.java.net/~weijun/8076190/webrev.05 > > Thanks > Max > > > On Oct 3, 2018, at 12:51 AM, Sean Mullan <sean.mul...@oracle.com> wrote: > > > > On 10/1/18 8:02 PM, Weijun Wang wrote: > >> > >> > >>> On Oct 2, 2018, at 2:49 AM, Sean Mullan <sean.mul...@oracle.com> > wrote: > >>> > >>> Looks good. After you update the CSR with these changes, I can review > it. > >> > >> Sure. > >> > >> How do you think of the following change? Shall I also add it? > > > > Yes. > >> > >> diff --git a/src/java.base/share/classes/java/security/KeyStore.java > b/src/java.base/share/classes/java/security/KeyStore.java > >> --- a/src/java.base/share/classes/java/security/KeyStore.java > >> +++ b/src/java.base/share/classes/java/security/KeyStore.java > >> @@ -318,7 +318,7 @@ > >> * for a given keystore type is set using the > >> * {@code 'keystore.<type>.keyProtectionAlgorithm'} security > property. > >> * For example, the > >> - * {@code keystore.PKCS12.keyProtectionAlgorithm} property > stores the > >> + * {@code keystore.pkcs12.keyProtectionAlgorithm} property > stores the > >> * name of the default key protection algorithm used for PKCS12 > >> * keystores. If the security property is not set, an > >> * implementation-specific algorithm will be used. > >> > >> Shall I add some word to this method saying we should use lowercase or > are we going to live with this lower+UPPER for every keystore type forever? > > No. Let's just continue to check in the code for both variants of the > above property, but remove all references to the upper-case variant from > the javadocs and java.security file. > > > > --Sean > >> > >> If yes, there will also be some text for its compatibility risk. > >> > >> Thanks > >> Max > >> > >>> > >>> --Sean > >>> > >>> On 9/28/18 9:36 AM, Weijun Wang wrote: > >>>> Webrev updated at > >>>> http://cr.openjdk.java.net/~weijun/8076190/webrev.04/ > >>>> Major changes: > >>>> 1. Comment out key=value lines in java.security > >>>> 2. Fix a bug in PBES2Parameters.java > >>>> 3. Test no longer depends on openssl. Instead, use openssl to > generate some pkcs12 files and included in the test. > >>>> 4. A new test KeyProtAlgCompat.java to ensure compatibility on > pkcs12/PKCS12 names > >>>> I haven't made any change to KeyStore.java yet. CSR is also not > updated. > >>>> Thanks > >>>> Max > >> > >> > >
