RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1)

Valerie Peng valeriep at openjdk.org
Thu Sep 4 19:57:46 UTC 2025


On Thu, 4 Sep 2025 19:45:12 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)
>
> src/java.base/share/classes/com/sun/crypto/provider/PBMAC1Core.java line 168:
> 
>> 166:                 } else if (kdfAlgo.equals("HmacSHA256")) {
>> 167:                     keyLength = 256;
>> 168:                 }
> 
> Why only these two algorithms? Doesn't PBMAC1Core also support other HmacSHAXXX algorithms? We should add an else block to cover unsupported algorithms to detect inconsistency also.

Is it possible to add a `keyLength` argument to the constructor, so that a different key length can be set along with the block length.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2323357191


More information about the security-dev mailing list