RFR: 8343232: PKCS#12 KeyStore support for RFC 9579: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v3]
Weijun Wang
weijun at openjdk.org
Thu Sep 18 16:27:25 UTC 2025
On Wed, 17 Sep 2025 18:53:03 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> Not sure if any tests will break if we make "PBEWithHmacSHA256" the default. I'll check.
>>
>> If the `keystore.pkcs12.macAlgorithm` security property is **not** changed, then I believe the rule is to write the keystore as it was read, meaning a keystore with the old MAC will be written as such. Removing this "PBMAC1" check would make it impossible to do this.
>
> I found one and maybe two existing tests that will have to be modified if "PBEWithHmacSHA256" becomes the default.
I thought we will keep the default unchanged this time.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2360163072
More information about the security-dev
mailing list