RFR: 8288050: Add support of SHA-512/224 and SHA-512/256 to the PBKDF2 and PBES2 impls in SunJCE provider [v5]

Bernd duke at openjdk.org
Sat Jan 28 07:44:25 UTC 2023


On Wed, 25 Jan 2023 22:33:59 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> This RFE enhances existing PBE algorithms with the "SHA512/224" and "SHA512/256" support. 
>> Current transformation parsing in javax.crypto.Cipher class is re-written to handle the additional "/" in the "SHA512/224" and "SHA512/256" algorithm names. Existing tests are updated with the additional new algorithms.
>
> Valerie Peng has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains six additional commits since the last revision:
> 
>  - Merge branch 'master' of https://github.com/openjdk/jdk into JDK-8288050
>    so bot can find the CSR for JDK21 and mark the PR complete.
>  - address review feedbacks
>  - handle the "SHA512/2" lookup of the cipher transformation in a case-insensitive way.
>  - remove extra whitespace
>  - remove trailing whitespace
>  - 8288050: Add support of SHA-512/224 and SHA-512/256 to the PBKDF2 and PBES2 impls in SunJCE provider

Another question, the cipher/keyfactlry PBEWithHmacSHA512/224AndAES_256 algorithm looks a bit strange, that would require two rounds of the iterations - I mean it might not be much work to implement it anyway, but I wonder if it is a good combination?

On the other hand PBEWithHmacSHA512/224AndAES_192 might be a good combo. (Or generally the AES192 variants are missing?)

-------------

PR: https://git.openjdk.org/jdk/pull/11339


More information about the security-dev mailing list