diff -r b313bcb68b4c -r 438337c846fb src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java --- a/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java Wed Nov 20 14:51:42 2019 +0000 +++ b/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java Tue Nov 12 00:30:55 2019 -0300 @@ -48,6 +48,7 @@ import sun.security.x509.AlgorithmId; import sun.security.util.ObjectIdentifier; +import sun.security.util.SecurityProperties; /** * This class implements a protection mechanism for private keys. In JCE, we @@ -75,14 +76,39 @@ private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; private static final int MAX_ITERATION_COUNT = 5000000; - private static final int ITERATION_COUNT = 200000; + private static final int MIN_ITERATION_COUNT = 10000; + private static final int DEFAULT_ITERATION_COUNT = 200000; private static final int SALT_LEN = 20; // the salt length private static final int DIGEST_LEN = 20; + private static final int ITERATION_COUNT; // the password used for protecting/recovering keys passed through this // key protector private char[] password; + /** + * {@systemProperty jdk.jceks.iterationCount} property indicating the + * number of iterations for password-based encryption (PBE) in JCEKS + * keystores. Values in the range 10000 to 5000000 are considered valid. + * If the value is out of this range, or is not a number, or is + * unspecified; a default of 200000 is used. + */ + static { + int iterationCount = DEFAULT_ITERATION_COUNT; + String ic = SecurityProperties.privilegedGetOverridable( + "jdk.jceks.iterationCount"); + if (ic != null && !ic.isEmpty()) { + try { + iterationCount = Integer.parseInt(ic); + if (iterationCount < MIN_ITERATION_COUNT || + iterationCount > MAX_ITERATION_COUNT) { + iterationCount = DEFAULT_ITERATION_COUNT; + } + } catch (NumberFormatException e) {} + } + ITERATION_COUNT = iterationCount; + } + KeyProtector(char[] password) { if (password == null) { throw new IllegalArgumentException("password can't be null");