[External] : AW: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

Seán Coffey sean.coffey at oracle.com
Fri May 28 14:35:51 UTC 2021 

here are the main changes that we pushed for JDK 11u:

> diff --git a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
> index a62452bdcd..441f2b651e 100644
> --- a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
> +++ b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
> @@ -101,10 +101,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
>               = "PBEWithHmacSHA256AndAES_256";
>       private static final String DEFAULT_KEY_PBE_ALGORITHM
>               = "PBEWithHmacSHA256AndAES_256";
> -    private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256";
> +    private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA1";
>       private static final int DEFAULT_CERT_PBE_ITERATION_COUNT = 10000;
>       private static final int DEFAULT_KEY_PBE_ITERATION_COUNT = 10000;
> -    private static final int DEFAULT_MAC_ITERATION_COUNT = 10000;
> +    private static final int DEFAULT_MAC_ITERATION_COUNT = 100000;
>   
>       // Legacy settings. Used when "keystore.pkcs12.legacy" is set.
>       private static final String LEGACY_CERT_PBE_ALGORITHM
> diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
> index b0c5beccf6..893567071c 100644
> --- a/src/java.base/share/conf/security/java.security
> +++ b/src/java.base/share/conf/security/java.security
> @@ -1200,12 +1200,12 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep
>   # The algorithm used to calculate the optional MacData at the end of a PKCS12
>   # file. This can be any HmacPBE algorithm defined in the Mac section of the
>   # Java Security Standard Algorithm Names Specification. When set to "NONE",
> -# no Mac is generated. The default value is "HmacPBESHA256".
> -#keystore.pkcs12.macAlgorithm = HmacPBESHA256
> +# no Mac is generated. The default value is "HmacPBESHA1".
> +#keystore.pkcs12.macAlgorithm = HmacPBESHA1
>   
>   # The iteration count used by the MacData algorithm. This value must be a
> -# positive integer. The default value is 10000.
> -#keystore.pkcs12.macIterationCount = 10000
> +# positive integer. The default value is 100000.
> +#keystore.pkcs12.macIterationCount = 100000
>   
>   #
>   # Enhanced exception message information

regards,
Sean.

On 28/05/2021 15:02, Doerr, Martin wrote:
>
> Hi Sean,
>
> thank you for your quick reply. I was already hoping to get such feedback.
>
> I had read the CSR and I had already thought that you guys didn’t 
> revert the complete change.
>
> My problem is that I can’t see what exactly you have done.
>
> I’m concerned about making it insecure by creating a mixture of old 
> and new behavior. How can I ensure to get the same behavior as 
> 11.0.12-oracle?
>
> Would it be possible to publish your security file and 
> PKCS12KeyStore.java?
>
> Otherwise, wouldn’t it be safer to stick with the old behavior until 
> we switch to the new one in a future release?
>
> Best regards,
>
> Martin
>
> *Von: *Seán Coffey <sean.coffey at oracle.com>
> *Datum: *Freitag, 28. Mai 2021 um 15:42
> *An: *Doerr, Martin <martin.doerr at sap.com>, 
> jdk-updates-dev at openjdk.java.net <jdk-updates-dev at openjdk.java.net>, 
> security-dev <security-dev at openjdk.java.net>, Hohensee, Paul 
> <hohensee at amazon.com>
> *Betreff: *Re: [11u] RFR: 8267599: Revert the change to the default 
> PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
>
> Martin,
>
> you seem to be suggesting a full revert of the JDK-8153005 changes. Note
> that the Oracle JDK changes only relate to to the default PKCS12
> macAlgorithm and macIterationCount (back to HmacPBESHA1 and 100000
> respectively). While there are other interoperability concerns with the
> keystore.pkcs12.certProtectionAlgorithm and
> keystore.pkcs12.keyProtectionAlgorithm values [1], they relate to JDK
> 8u/7u where PKCS12 is not the default keystore type.
>
> regards,
> Sean.
>
> [1] https://bugs.openjdk.java.net/browse/JDK-8267837 
> <https://bugs.openjdk.java.net/browse/JDK-8267837>
>
> On 28/05/2021 13:52, Doerr, Martin wrote:
> > Hi,
> >
> > Oracle has reverted the changes from JDK-8153005 backport in 
> 11.0.12-oracle for interoperability reasons. See:
> > https://bugs.openjdk.java.net/browse/JDK-8267599 
> <https://bugs.openjdk.java.net/browse/JDK-8267599>
> > and CSR:
> > https://bugs.openjdk.java.net/browse/JDK-8267701 
> <https://bugs.openjdk.java.net/browse/JDK-8267701>
> >
> > I had to adapt the small test addition from JDK-8266293 (see "// 
> 8266293" comment in ParamsPreferences.java):
> > 
> http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/ 
> <http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/>
> >
> > Please review.
> > Comments?
> >
> > Best regards,
> > Martin
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210528/7be6478f/attachment.htm>

More information about the security-dev mailing list