RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v3]
Mark Powers
mpowers at openjdk.org
Tue Oct 7 20:40:46 UTC 2025
On Wed, 17 Sep 2025 21:32:20 GMT, Thomas Fitzsimmons <fitzsim at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> a few more comments
>
> src/java.base/share/classes/com/sun/crypto/provider/PBMAC1Parameters.java line 173:
>
>> 171: if (keyLength > 0) {
>> 172: pBKDF2_params.putInteger(keyLength / 8); // derived key length (in octets)
>> 173: }
>
> I think `keyLength` is a MUST here. Maybe this should instead check if `keyLength` is `<= 0`, and if so, throw an exception. Then proceed to encode `keyLength` unconditionally.
After innumerable iterations, this encoding method will be removed from `PBMAC1Parameters`.
That said, keyLength now comes from the Mac before being encoded in `MacData`:
Mac m = Mac.getInstance(hmac);
int keyLength = m.getMacLength()*8;
If this doesn't work, we have some other serious issues.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2411832590
More information about the security-dev
mailing list