RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Hai-May Chao
hchao at openjdk.java.net
Thu Oct 8 06:50:02 UTC 2020
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
Looks good. Only minor comments.
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 103:
> 101: = "PBEWithHmacSHA256AndAES_256";
> 102: private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256";
> 103: private static final int DEFAULT_PBE_ITERATION_COUNT = 50000;
As we have keystore.pkcs12.certPbeIterationCount and keystore.pkcs12.keyPbeIterationCount, I would like to suggest that
we can define DEFAULT_CERT_PBE_ITERATION_COUNT and DEFAULT_KEY_PBE_ITERATION_COUNT, specifying each of the values for
finer granularity. Same for LEGACY_PBE_ITERATION_COUNT.
test/jdk/sun/security/mscapi/VeryLongAlias.java line 48:
> 46:
> 47: static String alias = String.format("%0512d", new Random().nextInt(100000));
> 48:
Add bug number to @bug.
-------------
PR: https://git.openjdk.java.net/jdk/pull/473
More information about the security-dev
mailing list