RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v13]
Weijun Wang
weijun at openjdk.org
Wed Oct 15 13:14:41 UTC 2025
On Tue, 14 Oct 2025 23:43:39 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)
>
> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>
> remaining comments
src/java.base/share/classes/com/sun/crypto/provider/PBES2Parameters.java line 308:
> 306: DerOutputStream pBES2_params = new DerOutputStream();
> 307: pBES2_params.write(DerValue.tag_Sequence,
> 308: PBKDF2Parameters.encode(salt, iCount, keysize, kdfAlgo_OID));
`keySize` here is number of bits, but the `PBKDF2Parameters.encode` requires number of bytes. This means a newly created PKCS12 keystore is invalid. When Java loads a PKCS12 keystore, this field is read but not validated. On the other hand, openssl validates it and will report an error.
Suggestion: either always use the same style in all fields and method arguments, or name them precisely.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2432512562
More information about the security-dev
mailing list