All the KeyStore API was intentionally design in such a way that if if you ask for a private key [of a key pair] or a symmetrical [secret] key, you would get an object that could be used as such a secret, but a developer would have no way to extract/expose the actual key material. Now, for the reverse proxy management project, we came to a requirement to get access/propagate that vulnerable data outside of the single machine boundaries.
The KeyStore [injectable] interface is meant to be read only, and all the keystore mutations are contained in the CertificateManager [injectable] interface. This change adds an API to the latter that allows the developer (at this time most likely just us as developers of the platform) to extract the raw key material from the keystore.
All the KeyStore API was intentionally design in such a way that if if you ask for a private key [of a key pair] or a symmetrical [secret] key, you would get an object that could be used as such a secret, but a developer would have no way to extract/expose the actual key material. Now, for the reverse proxy management project, we came to a requirement to get access/propagate that vulnerable data outside of the single machine boundaries.
The KeyStore [injectable] interface is meant to be read only, and all the keystore mutations are contained in the CertificateManager [injectable] interface. This change adds an API to the latter that allows the developer (at this time most likely just us as developers of the platform) to extract the raw key material from the keystore.