RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v3]

[Mark Powers]

On Fri, 5 Sep 2025 12:06:53 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   a few more comments
>
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1489:
> 
>> 1487:         final MacData macData;
>> 1488: 
>> 1489:         if (macAlgorithm.equals("PBMAC1")) {
> 
> The PBMAC1 algorithms are already defined in the standard algorithm names spec, see https://download.java.net/java/early_access/jdk25/docs/specs/security/standard-names.html#mac-algorithms
> 
> The default value of the `keystore.pkcs12.macAlgorithm` security property in the `java.security`file should be changed to "PBEWithHmacSHA256" as part of this change.
> 
> So you don't need to check if the algorithm is "PBMAC1", just use the algorithm that the property is set to.

Not sure if any tests will break if we make "PBEWithHmacSHA256" the default. I'll check.

If the `keystore.pkcs12.macAlgorithm` security property is **not** changed, then I believe the rule is to write the keystore as it was read, meaning a keystore with the old MAC will be written as such. Removing this "PBMAC1" check would make it impossible to do this.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2355942286