Rename it to "Migrate cacerts keystore to password-less PKCS12 format".
In the Problem section, you may also want to add something like:
- the certificates are public
- The integrity protection is not really necessary since the cacerts
file is part of the installed JDK, which should be installed using a
secure mechanism and protected appropriately on-disk from modification.
In the Solution section, you should probably mention that if the
"keystore.type.compat" security property is set to false, then the risk
of breakage would be high, but we do not believe that this property is
changed very often.
--Sean
On 5/30/19 11:32 PM, Weijun Wang wrote:
Please review the CSR at
https://bugs.openjdk.java.net/browse/JDK-8224891
(Oh, I hate the CSR having a different bug id.)
Basically, with this change, the cacerts file can be loaded with
KeyStore.getInstance("JKS" or "PKCS12").load(stream, null or anything) or
KeyStore.getInstance(new File("cacerts"), null or anything)
so hopefully all your old code should still work.
I've also opened another RFE [1] that intends to find a different way to tag jdkCA
entries in cacerts other than appending "[jdk]" to the alias.
Thanks,
Max
[1] https://bugs.openjdk.java.net/browse/JDK-8225099
