Attila Szegedi wrote:
>
> A quick look inside the source code of sun.security.provider.JavaKeyStore reveals
>the following line in the getPreKeyedHash() method:
>
> md.update("Mighty Aphrodite".getBytes("UTF8"));
>
> Background: They're storing a MD5 hash of the password in the keystore to ensure the
>keystore was not tampered. To make the MD5 hash harder to crack (assuming the cracker
>is not smart enough to itself study JDK sources), it is pre-keyed with the above
>tribute to Woody Allen. As it appears nowhere in the specs, a cleanroom JDK could use
>another string to pre-key the hash (potentially it could even not pre-key it at all).
>In this case, a keystore created with Sun JDK would appear tampered when opened by a
>JDK that pre-keys the hash with "Everything You Always Wanted to Know About Sex".
And the keystorePass is in server.xml but that is well know.
We should avoid things like "security through obscurancy"
>
> Attila.
>
> > >
> > > Christopher Cain wrote:
> > > >
> > > > Hi Patrick. Could you explain this a little further? Actually creating
> > > a
> > > > keystore using keytool of course has nothing to do with Tomcat per se,
> > > so I
> > > > assume you mean that the keystore created might not work with Tomcat.
> > > Under
> > > > what conditions would a keystore generated by one JDK not work with
> > > another
> > > > JDK? In testing, I was able to generate a keystore on a Windoze box
> > > with JDK
> > > > 1.3.1, copy it over to a Linux box running 1.3.0, and successfully
> > > start up
> > > > Tomcat and access a page over SSL. If you have a properly-formatted
> > > JKS store,
> > > > why would it matter which JDK produced it?
> > > >
> >
> > > --
> > > _____________________________________________________________________
> > > Patrick Luby Email: [EMAIL PROTECTED]
> > > Software Engineering Manager Phone: 408-863-3284
> > > Sun Microsystems
> > > 901 San Antonio Road, UCUP01-103
> > > Palo Alto, CA 94303-4900
> > > _____________________________________________________________________
> > >
> >
> >
> >
> > - Christopher
> >
> > /**
> > * Pleurez, pleurez, mes yeux, et fondez vous en eau!
> > * La moitié de ma vie a mis l'autre au tombeau.
> > * ---Corneille
> > */
> >
