RFR: 8288050: Add support of SHA-512/224 and SHA-512/256 to the PBKDF2 and PBES2 impls in SunJCE provider [v4]

Bernd duke at openjdk.org
Sat Dec 17 01:45:48 UTC 2022


On Wed, 14 Dec 2022 00:23:44 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> This RFE enhances existing PBE algorithms with the "SHA512/224" and "SHA512/256" support. 
>> Current transformation parsing in javax.crypto.Cipher class is re-written to handle the additional "/" in the "SHA512/224" and "SHA512/256" algorithm names. Existing tests are updated with the additional new algorithms.
>
> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
> 
>   address review feedbacks

I checked again, it is in the Javadoc, but a bit hidden since it’s not listed near the algorithm name (in the JCE algorithm names doc).

the PBEKey limits it to single byte ASCII only: https://github.com/openjdk/jdk/blob/6dc4d891c3ad043405c65e0e0eeef28e9e5a2156/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java#L69 (which would be compat with utf8), that is indeed a good info to document that restriction as the Javadoc only says “takes low byte”.

https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/spec/PBEKeySpec.html

it also mentions that the pkcs12 factory uses ucs2 (well “2 bytes”). But still would be nice to have that info in the algorithm spec doc as well.

Regarding a pkcs8 mode with utf8, what’s the easiest to propose a rfe for a non-commited?

-------------

PR: https://git.openjdk.org/jdk/pull/11339


More information about the security-dev mailing list