JDK-8274913 : Change default pkcs12 certpbe algorithm to NONE
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2021-10-07
  • Updated: 2021-10-14
Related Reports
Duplicate :  
JDK-8194702 - pkcs12 can be loaded with null password but certificates are missing
Description
One major difference between JKS and PKCS12 keystores generated by Java is that JKS contains plaintext certificates but PKCS12 has them encrypted. This has been the major obstacle to fully switch from JKS to PKCS12, especially for the cacerts file where it's all public info and there is no benefit encrypting the certificates and then publicize the password to the whole world. This enhancement proposes changing the default pbecert algorithm to NONE (Precisely, keystore.pkcs12.certProtectionAlgorithm in java.security). This means for newly created pkcs12 files, 1) keys still protected by individual passwords. 2) certs in plaintext, and 3) MacData for integrity check. This would align pkcs12 with the same feature as JKS and make it more friendly to deal with pkcs12 files with the KeyStore API.
Comments
When Windows Server 2016 exports a key pair in its keystore to a PFX file, the certificates inside are not encrypted. OpenSSL still encrypts certificates in its `openssl pkcs12 -export` by default.
07-10-2021