RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v16]
Weijun Wang
weijun at openjdk.org
Wed Oct 29 21:22:32 UTC 2025
On Wed, 29 Oct 2025 17:30:17 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/PBMAC1Parameters.java line 118:
>>
>>> 116: * Encode PBMAC1 parameters from components.
>>> 117: */
>>> 118: static byte[] encode(byte[] salt, int iterationCount, int keyLength,
>>
>> This is encoding more than the PBMAC1 parameters, it is also encoding the `MacData` structure. That should really be in the `MacData` class.
>
> I moved it to the `MacData` class as you suggest. `macSalt` ("NOT USED") and `iterations` (1) also belong in `MacData` and have been moved.
The latest `encode` returns two algorithm identifiers concatenated together without any frame. I suggest we follow the `PBKDF2Parameters.java` style you described below ("The outer algorithm ID is also encoded in addition to the parameters"), which means moving the code around `tmp2` and `tmp3` from `MacData::encode` here and back there a simple `tmp1.writeBytes(PBMAC1Parameters.encode(...))`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2475530557
More information about the security-dev
mailing list