RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v10]
Mark Powers
mpowers at openjdk.org
Wed Oct 1 00:30:33 UTC 2025
On Mon, 29 Sep 2025 20:46:47 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/MacData.java line 260:
>>
>>> 258:
>>> 259: var skf = SecretKeyFactory.getInstance(kdfHmac.equals("HmacSHA512") ?
>>> 260: "PBKDF2WithHmacSHA512" : "PBKDF2WithHmacSHA256");
>>
>> Why not just use `"PBKDF2With" + kdfHmac`? What if `kdfHmac` is "HmacSHA384"?
>
> Also, for old algorithms, this `SecretKeyFactory` should not be used, even if the final result can also be used. Use the old `getPBEKey` code here.
Fixed both. Tested with HmacSHA384 using keystore generated by `openssl` command.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2393135787
More information about the security-dev
mailing list