RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1)

Sean Mullan mullan at openjdk.org
Fri Sep 5 13:06:12 UTC 2025


On Thu, 3 Apr 2025 22:58:39 GMT, Mark Powers <mpowers at openjdk.org> wrote:

> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)

src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1518:

> 1516:             macData = new MacData(algName, macResult, params,
> 1517:                     defaultMacAlgorithm().replace("PBE", ""),
> 1518:                     extraSalt, extraIterationCount);

I'm not sure why you need the additional parameters (`params`, `extraSalt`, `extraIterationCount`). I think you can use the existing constructor and inside `MacData`, detect if PBMAC1 is being used by checking the algorithm name, and then encode the salt and iteration count in the PBMAC1 algorithm parameters as per RFC 7292/9579.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2325037355


More information about the security-dev mailing list