Bug ID: JDK-8076190 Customizing the generation of a PKCS12 keystore

JDK-8076190 : Customizing the generation of a PKCS12 keystore

Type: Enhancement
Component: security-libs
Sub-Component: java.security
Affected Version: 12

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2015-03-27
Updated: 2022-03-17
Resolved: 2018-12-13

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 12	JDK 13	JDK 7	JDK 8	Other
11.0.12-oracleFixed	12 b24Fixed	13Fixed	7u311Fixed	8u301Fixed	openjdk8u342Fixed

Related Reports

Blocks :	JDK-8153005 - Upgrade the default PKCS12 encryption/MAC algorithms
Blocks :	JDK-8162628 - The CACERTS keystore type
CSR :	JDK-8202590 - Customizing the generation of a PKCS12 keystore
Duplicate :	JDK-8208176 - Enhance keytool to deal with password-less pkcs12 keystores nicely
Duplicate :	JDK-8245169 - EncryptedPrivateKeyInfo incorrectly decodes KDF algorithm
Relates :	JDK-8267880 - Upgrade the default PKCS12 MAC algorithm
Relates :	JDK-8266293 - Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
Relates :	JDK-8245169 - EncryptedPrivateKeyInfo incorrectly decodes KDF algorithm
Relates :	JDK-8224891 - The CACERTS keystore type
Relates :	JDK-8266182 - Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
Relates :	JDK-8266400 - importkeystore fails to a password less pkcs12 keystore
Relates :	JDK-8208176 - Enhance keytool to deal with password-less pkcs12 keystores nicely

Sub Tasks

JDK-8215293 :	Release Note: Customizing PKCS12 keystore Generation - Closed
JDK-8215387 :	Add new Mac algorithms to JDK Providers Documentation - Closed

Description

The KeyStore.load API allows the supplied password to be null, to indicate that the keystore integrity check should be skipped. When the password is null the PKCS12 implementation returns no certificates.

This behaviour differs from JKS where certificates can be retrieved even when a null password is supplied. We should find a way to generate a PKCS12 keystore without encrypting the certificates. Furthermore, in order to completely remove the requirement of a password (when hardcoded or well-known is a security issue), we should also make the Mac part of the PKCS12 keystore optional.

Ultimately, all algorithms and parameters used in encrypting the keys, the certificates (or not encrypting), and calculating the Mac (or not calculating) should be customizable.

Comments

A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk8u-dev/pull/12 Date: 2022-03-17 12:29:02 +0000
17-03-2022
8u RFR is reviewed at https://mail.openjdk.java.net/pipermail/jdk8u-dev/2022-February/014558.html
08-02-2022
The OpenJDK 8u review has not yet concluded, so I've changed the tag to jdk8u-needs-review. Please work with Martin so that the patch gets into a suitable state for integration: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-August/014234.html https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-August/014236.html Thanks!
24-08-2021
Fix request (8u) I would like to backport JDK-8076190 to 8u. This feature minimizes behavior differences between JKS and PKCS12 keystores. Also, it fixes the issue with incorrectly decoded KDF algorithm as described in JDK-8245169 The patch is not applied clean. Reviewed at https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-August/014152.html
06-08-2021
Approved for 11u. Please link CSR JDK-8257680 to the backport bug after pushing.
22-04-2021
Fix request (11u) I would like to backport JDK-8076190 to 11u. The patch applies cleanly except of test/lib/jdk/test/lib/security/DerUtils.java which is already backported to 11u as part of JDK-8215694 (see https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/551bc745f05d#l9.1) This feature minimizes behavior differences between JKS and PKCS12 keystores. Also, it fixes the issue with incorrectly decoded KDF algorithm as described in JDK-8245169 Review is started at https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-December/004335.html Review is approved at https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-April/005750.html
15-04-2021
URL: http://hg.openjdk.java.net/jdk/jdk/rev/2457d862a646 User: weijun Date: 2018-12-13 03:50:22 +0000
13-12-2018