RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v18]
Weijun Wang
weijun at openjdk.org
Fri Oct 31 01:19:18 UTC 2025
On Thu, 30 Oct 2025 21:09:57 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)
>
> Mark Powers has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 36 commits:
>
> - two algorithm identifiers concatenated together without any frame
> - merge
> - three comments and OID name change
> - A4-A6 from RFC
> - Weijun code review comments
> - merge
> - stragglers
> - checkpoint
> - remaining comments
> - more review comments from Sean and Weijun
> - ... and 26 more: https://git.openjdk.org/jdk/compare/a2196e20...409f34c5
src/java.base/share/classes/sun/security/pkcs12/MacData.java line 327:
> 325: // id-PBMAC1 OBJECT IDENTIFIER ::= { pkcs-5 14 }
> 326: tmp2.putOID(ObjectIdentifier.of(KnownOIDs.PBMAC1));
> 327: tmp2.write(tmp3);
Since there is only one raw byte array in `tmp3`, the following lines
DerOutputStream tmp3 = new DerOutputStream();
tmp3.writeBytes(PBMAC1Parameters.encode(macSalt, iterations, keyLength, kdfHmac, hmac));
tmp2.write(tmp3);
is equivalent to
tmp2.writeBytes(PBMAC1Parameters.encode(macSalt, iterations, keyLength, kdfHmac, hmac));
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2479906740
More information about the security-dev
mailing list