RFR: 8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" [v2]

Valerie Peng valeriep at openjdk.java.net
Thu May 6 17:55:52 UTC 2021

On Thu, 6 May 2021 14:25:13 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> `PKCS12KeyStore` always uses a 20-byte salt in encryption but PBEWithMD5AndDES only accepts 8-byte salt. With this code change, the salt used for this algorithm will be 8 bytes.
>> RFC 2898 only requires the salt to be at least 8 bytes, but I don't intend to modify the `PBES1Core.java` to accept a long salt. Otherwise, a newly generated PKCS #⁠12 file using a long salt will not be recognized by an old JDK.
>> Also, although `PBES1Core.java` also take cares of another algorithm named PBEWithMD5AndDESede but it's not usable in a PKCS #⁠12 keystore as we have not defined its Object Identifier anywhere.
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>   better comment

Changes look good.


Marked as reviewed by valeriep (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/3822

More information about the security-dev mailing list