RFR: 8367008: Algorithm identifiers for HmacSHA* should always have NULL as params [v2]
Koushik Muthukrishnan Thirupattur
duke at openjdk.org
Fri Oct 10 20:20:03 UTC 2025
On Fri, 10 Oct 2025 02:27:30 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Koushik Muthukrishnan Thirupattur has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - 8367008: Algorithm identifiers for HmacSHA* should always have NULL as params
>> - 8367008: Algorithm identifiers for HmacSHA* should always have NULL as params
>
> src/java.base/share/classes/sun/security/x509/AlgorithmId.java line 690:
>
>> 688: ObjectIdentifier.of(KnownOIDs.HmacSHA256),
>> 689: ObjectIdentifier.of(KnownOIDs.HmacSHA384),
>> 690: ObjectIdentifier.of(KnownOIDs.HmacSHA512)
>
> The "HMAC algorithm identifiers" section of https://www.rfc-editor.org/rfc/rfc9879.html#name-asn1-module also includes algid-hmacWithSHA512-224 and algid-hmacWithSHA512-256.
>
> Also, I have always been wondering how SHA3 Hmac `AlgorithmId` are encoded. https://datatracker.ietf.org/doc/html/rfc9688#name-signature-algorithms says "the parameters field MUST be absent". Although I'm not sure if this is only in CMS, but I think it's worth adding a reference here explaining why those OIDs are not included.
Thank you for catching that.
I’ve added the missing HMAC OIDs HmacSHA512_224 and HmacSHA512_256 as specified in [RFC 9879 §4](https://www.rfc-editor.org/rfc/rfc9879.html#name-asn1-module)
Regarding SHA3-based HMACs, I have added a comment in the code as per your suggestion.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27700#discussion_r2422005098
More information about the security-dev
mailing list