RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1)

Weijun Wang weijun at openjdk.org
Thu Sep 4 21:27:01 UTC 2025


On Thu, 4 Sep 2025 19:54:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/java.base/share/classes/com/sun/crypto/provider/PBMAC1Core.java line 168:
>> 
>>> 166:                 } else if (kdfAlgo.equals("HmacSHA256")) {
>>> 167:                     keyLength = 256;
>>> 168:                 }
>> 
>> Why only these two algorithms? Doesn't PBMAC1Core also support other HmacSHAXXX algorithms? We should add an else block to cover unsupported algorithms to detect inconsistency also.
>
> Is it possible to add a `keyLength` argument to the constructor, so that a different key length can be set along with the block length.

In fact, this will change the behavior of the Mac algorithm `PBEWithHmacSHA256` since we hardcoded `keyLength` as `blockLength` there.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2323578277


More information about the security-dev mailing list