RFR: 8367008: Algorithm identifiers for HmacSHA* should always have NULL as params [v3]
Weijun Wang
weijun at openjdk.org
Fri Oct 10 21:30:03 UTC 2025
On Fri, 10 Oct 2025 20:16:46 GMT, Koushik Muthukrishnan Thirupattur <duke at openjdk.org> wrote:
>> Looking at RFC 9879 on PBES2 and PBMAC1 in PKCS12, algorithm identifiers for HmacSHA*** (like SHA***) should always contain NULL as params. We can update the list at AlgorithmId.encode(DOS) to enforce this rule.
>
> Koushik Muthukrishnan Thirupattur has updated the pull request incrementally with one additional commit since the last revision:
>
> 8367008: Algorithm identifiers for HmacSHA* should always have NULL as params
src/java.base/share/classes/sun/security/x509/AlgorithmId.java line 194:
> 192: // if most RFCs suggested absent.
> 193: // RSA key and signature algorithms and HmacSHA* algorithms requires
> 194: // the NULL parameters to be present, see A.1 and A.2.4 of RFC 8017.
Move the comment above inside `OIDS_REQUIRING_NULL`, into different lines.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27700#discussion_r2422122724
More information about the security-dev
mailing list