JDK-8062653 : Design and Implementation
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-10-31
  • Updated: 2015-01-13
  • Resolved: 2015-01-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
9 b45Fixed
1. Introduction

The Java platform supports a variety of keystore types.
For many years the default keystore type was JKS, now it is PKCS12.
PKCS12 keystores offer improved security and interoperability.

By default, new keystores will be created in the PKCS#12 format.
Existing keystores retain the keystore type that they were created with.

2. Specification

The default keystore type is specified by the following property in the
$JRE/lib/security/java.security file:


In JDK 9 it is set to "pkcs12". Previously it was set to "jks".

To prevent problems for applications that access keystores using
the default keystore type, a detector mechanism has been introduced.
This mechanism ensures that the correct keystore type is used,
regardless of the keystore type supplied by the calling application.
Currently, it detects only JKS and PKCS12 keystores.

A new security property is introduced to control the keystore type detector:


In JDK 9 it is set to "jks,pkcs12".

Applications that need to disable the detector mechanism for a specific
keystore type shall omit that type from the security property setting.

3. Implementation

Implement a keystore type detector for JKS and PKCS12 keystores.

The java.security.KeyStore class has been enhanced to detect the correct
keystore type regardless of the keystore type supplied by the caller.
Currently, only JKS and PKCS12 keystore types are detected.

4. Issues

Passwordless access is supported for JKS keystores but not for PKCS12 keystores.

CCCs and code review must be completed first.