iaik.utils

Class UniversalKeyStore.PKCS12JKSKeyStore

java.lang.Object

java.security.KeyStoreSpi

iaik.utils.UniversalKeyStore

iaik.utils.UniversalKeyStore.PKCS12JKSKeyStore

Enclosing class:

UniversalKeyStore

public static final class UniversalKeyStore.PKCS12JKSKeyStore
extends UniversalKeyStore

UniversalKeyStore with "PKCS12" as primary KeyStore type and "JKS" as secondary (fallback) type to may be used to solve JSSE default KeyStore parsing problems.

Oracle has changed the JDK default KeyStore format from "JKS" to "PKCS12", but still uses the JKS format for its cacerts default KeyStore. When, for instance, an application uses JSSE to connect to some TLS/HTTPS server (and does not have explicitly set some trust store) JSSE tries to read the certificates from the default cacerts KeyStore by instantiating a KeyStore with the default format ("PKCS12"). When IAIK is installed as first provider the PKCS12 KeyStore of the IAIK provider is instantiated and tries to parse the cacerts KeyStore. This, however, must fail since cacerts is a JKS KeyStore which cannot be read by the IAIK PKCS12KeyStore (that, of course, expects a KeyStore in PKCS12 format). The TLS/HTTPS connection attempt will fail with an Exception saying that the trust store cannot be accessed because of a KeyStore parsing problem.

There are several work arounds for solving this problem (and keeping IAIK as first provider):

• Explicitly use and specify your own trust store in PKCS#12 format.
• Run the VM with the java -Djavax.net.ssl.trustStoreType (and maybe -Djavax.net.ssl.keyStoreType) option(s) to set jks as trust/keystore format to be used:

  java -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStoreType=jks …

• Advise the IAIK PKCS12KeyStore to try to parse a JKS KeyStore if it fails to parse a PKCS#12 KeyStore by setting setUseJKSFallBack() to true:

  PKCS12KeyStore.setUSEJKSFallBack(true);

Note that in the last case (using PKCS12KeyStore.setUSEJKSFallBack(true);) the IAIK PKCS12KeyStore will be advised to try the JKS format anytime it fails to parse a PKCS#12 KeyStore. This may cause some overhead. For that reason -- and because you may not notice that you read a JKS KeyStore while you are expecting to read a PKCS#12 KeyStore) the JKS fallback mechanism is disabled by default and has to be explicitly enabled by calling PKCS12KeyStore.setUSEJKSFallBack(true);.

Nested Class Summary

Nested classes/interfaces inherited from class iaik.utils.UniversalKeyStore

UniversalKeyStore.KeyStoreType, UniversalKeyStore.PKCS12JKSKeyStore

Field Summary

Fields inherited from class iaik.utils.UniversalKeyStore

KS_TYPE_IAIK, KS_TYPE_PKCS12

Constructor Summary

Constructors

Constructor and Description
PKCS12JKSKeyStore() Default constructor.

Method Summary

Methods inherited from class iaik.utils.UniversalKeyStore

engineAliases, engineContainsAlias, engineDeleteEntry, engineGetCertificate, engineGetCertificateAlias, engineGetCertificateChain, engineGetCreationDate, engineGetKey, engineIsCertificateEntry, engineIsKeyEntry, engineLoad, engineSetCertificateEntry, engineSetKeyEntry, engineSetKeyEntry, engineSize, engineStore, setSupportedKeyStoreTypes

Methods inherited from class java.security.KeyStoreSpi

engineEntryInstanceOf, engineGetEntry, engineLoad, engineSetEntry, engineStore

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PKCS12JKSKeyStore

public PKCS12JKSKeyStore()

Default constructor.