-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/22/20 17:01, Christopher Schultz wrote:
> All,
>
> I've been writing a utility to scan a bunch of arbitrary files for
> certificates that are nearing expiration. It's written in Java and
> it currently works with PEM-encoded DER files (aka OpenSSL files)
> and PKCS12 keystores. I'm sure it would also work with the other
> flavors of Java key store, but I haven't (yet) tried them.
>
> What I have noticed is that:
>
> KeyStore ks = KeyStore.getInstance("JKS");
> ks.load(pkcs12InputStream, null);
>
> ...seems to have no problem whatsoever with the fact that the
> "keystore type" is JKS but the file being loaded is PKCS12. That
> makes sense to me, since the in-memory keystore doesn't really have
> a "type": only the on-disk representation of the keystore has a
> "type", et c.
>
> All of the information I can find online seems to indicate that
> the (in-memory) KeyStore "type" must match what you are loading, or
> you'll get an exception. But I'm finding that the in-memory type
> doesn't matter, and the load works as long as the file is legit.
>
> But the in-memory type doesn't change when the file is loaded.
> Hmm.
>
> So two off-topic questions:
>
> 1. Can I rely on the "type doesn't matter" behavior I'm seeing, or
> do I have to loop-over all the supported keystore types,
> attempting to (re)load the file each time looking for the right
> type -- just to be safe?
Answering my own question, here. Evidently, in Java 1.8 u60 or so,
Oracle added the "keystore.type.compat" security property which
defaults to "true". This allows auto-detection of formats regardless
of the in-memory type.
So it seems that, to be safe, I'll have to iterate through the
supported formats "just in case" because that setting can always be
disabled.
> 2. Is there a way to determine the type of file that WAS loaded
> into a KeyStore? It seems that there is a magic header I can use if
> I want to look at the raw bytes to detect the Java keystore formats
> (0-feedfeed, 0xcececece), but I think that's not exactly true for
> PKCS12 and maybe some other supported formats. I'd rather not look
> at the bytes myself unless it's absolutely necessary.
I'm still not sure about this.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7IQBcACgkQHPApP6U8
pFgLoBAAyahoNxDrYeF0ouyglKefgpyF5L225PeQMH+CVpWIsJV6itYpAxzhereh
oqBBGhRlS+n/uaZ6pFrS8zXpvd0cJznfYv/v5A3zerNI4YOxYTbDYCRoMvuhoDZf
M3/cRvT9axv6eNrYbwM1LXRzXHOXPJ6lDA3P3ImgeY4qYXRqFBaWKW0mZ7VxFzZ4
hJ4Vbc+2/lZIUngIlRdfQbKpcpWR37sPthX5WAI0+rST3+8QFZfnl/UVF6cQF1gl
kEzGvD9g9QcmxtLfPXeZuCxUfftDISCOGswg9+CvWJPKtdjui4FqgR2yMoiKHHMb
rF+LxX330456z63C8soIMHl+8/6ycNFK1VZJVIIcX0I/4jgjGfA40e007xDHNDt/
GpQtRw/veir/e2h6lgwZd/gyG91Szq5Bpd66kMSFh9ucjTaZp13b7qta4Zxf9khB
bGC8JKrz4qs+vQwF8BcF0l12+j3NoSOzgjvQytaSQNYyAAIqqYz1EgGHyxPZXPT2
koBfVHo7ZTXFcEJ/PiOHThEGQwbHr22Ovb+sWs/j9Z21kqwr8+uuvZHrrueAYtW6
zN69YxosPYat3NMLdBYhAWEDJSrVD+dClcyUKWbMGTnQs0bjTScMR8Avw24IVjAJ
dgScanoXudlqN8w/nLm1zBy50dMsnVRQBXt7A19PmzEgF1y8sZw=
=bRoO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
