JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default
  • Type: JEP
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Status: Closed
  • Resolution: Delivered
  • Fix Versions: 9
  • Submitted: 2014-05-30
  • Updated: 2018-01-11
  • Resolved: 2016-03-03
Related Reports
Relates :  
JDK-8072578 - ProbeKeystores.java creates files in test.src
Relates :  
JDK-8062552 - Support keystore type detection for JKS and PKCS12 keystores
Relates :  
JDK-8073955 - Update java.security.debug help text to reflect recent enhancements for debugging
Relates :  
JDK-8192987 - keytool should remember real storetype if it is not provided
Relates :  
JDK-8194307 - KeyStore#getInstance with custom LoadStoreParameter succeeds with invalid password
Relates :  
JDK-8069277 - Doclint regression in java/security/KeyStore.java
Sub Tasks
JDK-8062653 :  
Design and Implementation - Resolved
JDK-8062843 :  
Keystore type detector - Resolved
JDK-8062845 :  
Compatibility Testing - Resolved
JDK-8072506 :  
Test Task: Update existing tests for JEP 229 Create PKCS12 Keystores by Default - Closed
JDK-8072507 :  
Test Task: Develop new tests for JEP 229 Create PKCS12 Keystores by Default - Resolved
JDK-8178828 :  
Release Note: Change in the default keystore type to PKCS12 - Closed
Description
Summary 
-------

Transition the default keystore type from JKS to [PKCS12][pkcs12].

[pkcs12]: https://en.wikipedia.org/wiki/PKCS_12

Goals 
-----

  - Improve security.  PKCS12 offers stronger cryptographic algorithms
    than JKS.

  - Maintain forward and backward compatibility.  Applications that
    access JKS and PKCS12 keystores must continue to function across
    JDK releases.


Motivation 
----------

JKS is a custom, JDK-specific keystore type. It has been the default
keystore type for the Java platform since JDK 1.2. JKS keystores can only
store private keys and trusted public-key certificates, and they are
based on a proprietary format that is not easily extensible to new
cryptographic algorithms.

[PKCS12][pkcs12] is an extensible, standard, and widely-supported format
for storing cryptographic keys. As of JDK 8, PKCS12 keystores can store
private keys, trusted public key certificates, and secret keys. Switching
to PKCS12 improves keystore integrity and confidentiality. It also opens
opportunities for interoperability with other systems that also support
PKCS12.


Description 
-----------

This feature changes the default keystore type from JKS to PKCS12. By
default, new keystores will be created in the PKCS12 keystore
format. Existing keystores will not change and keystore applications can
continue to explicitly specify the keystore type they require.

Existing applications must not be disrupted. Keystores tend to be
long-lived, so we need to support access across several JDK
releases. Applications that access keystores created by earlier JDK
releases must run unaltered on JDK 9. Similarly, applications that access
keystores created by JDK 9 should run unaltered on earlier JDK releases.

This requirement is achieved by introducing a keystore detection
mechanism that understands both the JKS and PKCS12 formats. A keystore's
format is examined before it is loaded to determine its type and then the
appropriate keystore implementation is used to access it. The mechanism
is enabled by default but can be disabled if required.

Support for this keystore-detection mechanism may be backported to
earlier JDK releases.


Testing 
-------

Significant testing is required across JDK releases to ensure that
compatibility is maintained for applications that access keystores.
Comments
Added PKCS12 link to Summary. Relocated link label to Summary section.
06-12-2016