8285827: Describe the keystore.pkcs12.legacy system property in the java.security file #8452
Conversation
|
|
Webrevs
|
| @@ -1171,6 +1171,19 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep | |||
| # name, an exception will be thrown when the property is used. | |||
| # If the property is not set or empty, a default value will be used. | |||
| # | |||
| # For compatibility, the system property "keystore.pkcs12.legacy" can be set | |||
There was a problem hiding this comment.
Was wondering if we should add why you might want to set this property, ex: "For compatibility with JDK or PKCS12 implementations that do not support the stronger algorithms ..."
Compatibility with prior JDK versions should be less of an issue over time as these stronger settings and algs have been backported to prior JDKs.
There was a problem hiding this comment.
OpenSSL's help page shows
-legacy Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs
Can we also say "To work with legacy PKCS #12 files"?
There was a problem hiding this comment.
But isn't it mostly an issue when creating new keystores and not reading existing ones? I would want to avoid users thinking that they had to set this in more cases than needed.
There was a problem hiding this comment.
How about this?
To work with legacy PKCS #12 tools that does not support the new algorithms,
the system property "keystore.pkcs12.legacy" can be set
which will override the properties defined here with old settings.
This system property is equivalent to
There was a problem hiding this comment.
I think the text above might still make some users concerned that they should always set this property.
Maybe we can be less specific, and just say: "If you encounter compatibility issues with software that doesn't support the stronger algorithms, the system property ..."
There was a problem hiding this comment.
Can we say both? All these properties are only used when creating the file (key-related ones when creating the key). If a compatibility issue already happens, users need to downgrade their keystore.
So, the full text will be something like
Some legacy PKCS #12 tools or libraries do not support the new algorithms based on
PBES2 and AES. In order to create a PKCS #12 keystore for them, the system property
"keystore.pkcs12.legacy" can be set which overrides the properties defined here with
legacy algorithm. Setting this system property is equivalent to
....
Also, you can downgrade an existing PKCS #12 keystore that already uses new algorithms
to use legacy algorithms with
keytool -J-Dkeystore.pkcs12.legacy -importkeystore -srckeystore ks -destkeystore ks
This system property should be used at your own risk. Please note there is
no value defined for this system property, i.e. "-Dkeystore.pkcs12.legacy"
has the same effect as "-Dkeystore.pkcs12.legacy=<any value>".
I'll double check if the command can indeed downgrade key algorithms as well. Update: it works. All 3 algorithms (key, cert, mac) downgraded to legacy ones.
There was a problem hiding this comment.
It's a little long, but I can see why it is useful, so I think it's good. I would avoid the word "new" as this won't be new in a few years time. Here is an edit where I removed words which I thought were not essential:
Some PKCS #12 tools and libraries may not support algorithms based on PBES2 and AES.
To create a PKCS #12 keystore which they can load, set the system property
"keystore.pkcs12.legacy" which overrides the values of the properties defined below with
legacy algorithms. Setting this system property is equivalent to....
Also, you can downgrade an existing PKCS #12 keystore created with stronger algorithms
to legacy algorithms withkeytool -J-Dkeystore.pkcs12.legacy -importkeystore -srckeystore ks -destkeystore ks
This system property should be used at your own risk.
Don't think you really need the sentence below, as you have already given several examples:
Please note there is
no value defined for this system property, i.e. "-Dkeystore.pkcs12.legacy"
has the same effect as "-Dkeystore.pkcs12.legacy=".
There was a problem hiding this comment.
The reason I added the last sentence is because this property has no value. Someone might think they can set it to false to disable it, but that is equivalent to set it to true.
There was a problem hiding this comment.
Ah I see. Maybe put in the previous sentence, ex: "When set, this system property (which can only be enabled and has no value) is equivalent to:"
Just a suggestion.
There was a problem hiding this comment.
Suggested accepted. I just pushed a new commit. I modified "PKCS #12" to "PKCS12" because that's the word we used throughout the file.
|
@wangweij This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 51 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.
|
|
/integrate |
|
Going to push as commit cfcba1f.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
We added a new system property back in https://bugs.openjdk.java.net/browse/JDK-8153005 but it's better to describe it in the
java.securityfile as well.Please review the text. I especially added the last sentence so that people won't set
-Dkeystore.pkcs12.legacy=false.Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/8452/head:pull/8452$ git checkout pull/8452Update a local copy of the PR:
$ git checkout pull/8452$ git pull https://git.openjdk.java.net/jdk pull/8452/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 8452View PR using the GUI difftool:
$ git pr show -t 8452Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/8452.diff