RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v3]

[Mark Powers]

On Wed, 17 Sep 2025 15:35:29 GMT, Mark Powers <mpowers at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1489:
>> 
>>> 1487:         final MacData macData;
>>> 1488: 
>>> 1489:         if (macAlgorithm.equals("PBMAC1")) {
>> 
>> The PBMAC1 algorithms are already defined in the standard algorithm names spec, see https://download.java.net/java/early_access/jdk25/docs/specs/security/standard-names.html#mac-algorithms
>> 
>> The default value of the `keystore.pkcs12.macAlgorithm` security property in the `java.security`file should be changed to "PBEWithHmacSHA256" as part of this change.
>> 
>> So you don't need to check if the algorithm is "PBMAC1", just use the algorithm that the property is set to.
>
> Not sure if any tests will break if we make "PBEWithHmacSHA256" the default. I'll check.
> 
> If the `keystore.pkcs12.macAlgorithm` security property is **not** changed, then I believe the rule is to write the keystore as it was read, meaning a keystore with the old MAC will be written as such. Removing this "PBMAC1" check would make it impossible to do this.

I found one and maybe two existing tests that will have to be modified if "PBEWithHmacSHA256" becomes the default.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2356462159