RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1)

Sean Mullan mullan at openjdk.org
Fri Sep 5 12:10:12 UTC 2025


On Thu, 3 Apr 2025 22:58:39 GMT, Mark Powers <mpowers at openjdk.org> wrote:

> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)

src/java.base/share/classes/com/sun/crypto/provider/PBMAC1Core.java line 169:

> 167:                     keyLength = 256;
> 168:                 }
> 169: /*

commented out code ...

src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1489:

> 1487:         final MacData macData;
> 1488: 
> 1489:         if (macAlgorithm.equals("PBMAC1")) {

The PBMAC1 algorithms are already defined in the standard algorithm names spec, see https://download.java.net/java/early_access/jdk25/docs/specs/security/standard-names.html#mac-algorithms

The default value of the `keystore.pkcs12.macAlgorithm` security property in the `java.security`file should be changed to "PBEWithHmacSHA256" as part of this change.

So you don't need to check if the algorithm is "PBMAC1", just use the algorithm that the property is set to.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2324870945
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2324918183


More information about the security-dev mailing list