RFR: 8367008: Algorithm identifiers for HmacSHA* should always have NULL as params
Matthew Donovan
mdonovan at openjdk.org
Thu Oct 9 14:15:01 UTC 2025
On Wed, 8 Oct 2025 16:49:42 GMT, Koushik Muthukrishnan Thirupattur <duke at openjdk.org> wrote:
> Looking at RFC 9879 on PBES2 and PBMAC1 in PKCS12, algorithm identifiers for HmacSHA*** (like SHA***) should always contain NULL as params. We can update the list at AlgorithmId.encode(DOS) to enforce this rule.
src/java.base/share/classes/sun/security/x509/AlgorithmId.java line 143:
> 141: if (params.tag == DerValue.tag_Null) {
> 142: if (params.length() != 0) {
> 143: throw new IOException("invalid NULL");
Can this exception message be more descriptive?
test/jdk/sun/security/x509/AlgorithmId/NullParams.java line 70:
> 68: test("SHA3-384withRSA", true);
> 69: test("SHA3-512withRSA", true);
> 70: test("HmacSHA1", true);
Update the copyright year.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27700#discussion_r2416949082
PR Review Comment: https://git.openjdk.org/jdk/pull/27700#discussion_r2416926253
More information about the security-dev
mailing list