RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v16]
Mark Powers
mpowers at openjdk.org
Thu Oct 30 21:47:15 UTC 2025
On Wed, 29 Oct 2025 21:19:51 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> I moved it to the `MacData` class as you suggest. `macSalt` ("NOT USED") and `iterations` (1) also belong in `MacData` and have been moved.
>
> The latest `encode` returns two algorithm identifiers concatenated together without any frame. I suggest we follow the `PBKDF2Parameters.java` style you described below ("The outer algorithm ID is also encoded in addition to the parameters"), which means moving the code around `tmp2` and `tmp3` from `MacData::encode` here simply call `tmp1.writeBytes(PBMAC1Parameters.encode(...))` in `MacData::encode`.
>
> Or, if you prefer to encode the PBMAC1 OID outside (which follows most `AlgorithmParametersSpi` classes), put the concatenation inside a SEQUENCE and return it. This is similar to https://github.com/openjdk/jdk/pull/24429#discussion_r2455313609.
I choose the latter.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2479603960
More information about the security-dev
mailing list