RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v3]
Mark Powers
mpowers at openjdk.org
Mon Sep 22 16:14:26 UTC 2025
On Mon, 22 Sep 2025 13:24:12 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Are you suggesting to always generate a 20 byte salt?
>>
>> Can you provide a line number for your first comment about breaking up "PBEWithHmacSHA256"?
>> This string is read from the property file and has nothing to do with any DER encoded values read from the keystore input stream.
>
> Yes, I think always generating a 20 byte salt is not a problem.
>
> For the name break up, I see that `macAlgorithm` can sometimes be `defaultMacAlgorithm()` which is the full "PBEWithHmacSHA256" (line 1250) and sometimes being "PBMAC1" only (line 2203) with `pbmac1Hmac` serving as the additional info. I suggest always using the full name.
I see it now. Fixed.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2369221962
More information about the security-dev
mailing list