Thanks everyone. Good to know that Java 18 will have password-less keystore, so we can support this for other formats too in future. Looks like we are in agreement that it is reasonable to relax the requirement for PEM files now.
Regards, Rajini On Thu, Mar 24, 2022 at 2:41 PM David Jacot <dja...@confluent.io.invalid> wrote: > Hi all, > > Thanks Dejan for bringing this up. Relaxing this constraint seems > reasonable to me. I guess we would have to relax it for the keystores > at some point in the future as well (with Java 18). > > Let's wait a few days to see what others think about this. > > Best, > David > > On Wed, Mar 23, 2022 at 8:46 PM Ismael Juma <ism...@juma.me.uk> wrote: > > > > Hi Rajini, > > > > On Mon, Mar 21, 2022 at 10:02 AM Rajini Sivaram <rajinisiva...@gmail.com > > > > wrote: > > > > > For the background on the current implementation: We use Java's > keystore > > > loading for JKS/PKCS12 keystore files and these files require > passwords. We > > > > > > > In Java 18: > > > > "Passwordless keystores (a keystore with no password required to unlock > it) > > are useful when the keystore is stored in a secure location and is only > > intended to store non-sensitive information, such as public X.509 > > certificates. With a passwordless PKCS12 keystore, certificates are not > > encrypted and there is no Mac applied as an integrity check is not > > necessary. > > > > Prior to this change, creating a passwordless PKCS12 keystore was > > difficult, and required setting various security properties. Now, a > > passwordless PKCS12 keystore can be created by simply specifying a null > > password to the KeyStore::store(outStream, password) API. The keystore > can > > then be loaded with a null (or any) password with the KeyStore::load() > API. > > > > Issue: JDK-8231107" > > > > https://seanjmullan.org/blog/2022/03/23/jdk18 > > > > Ismael >