RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v2]
Mark Powers
mpowers at openjdk.org
Mon Sep 22 21:04:52 UTC 2025
On Tue, 16 Sep 2025 18:37:15 GMT, Bernd <duke at openjdk.org> wrote:
>> Mark Powers has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 17 commits:
>>
>> - merge
>> - removed changes to PBMAC1Core and addressed some comments from Valerie
>> - small changes
>> - not used
>> - refresh index
>> - Merge
>> - rework to eliminate PBMAC1ParameterSpec
>> - merge
>> - comments from Valerie
>> - missed this new file
>> - ... and 7 more: https://git.openjdk.org/jdk/compare/075ebb4e...624ef92e
>
> src/java.base/share/classes/com/sun/crypto/provider/PBMAC1Parameters.java line 76:
>
>> 74: private int iCount = 0;
>> 75:
>> 76: // the key derivation function (default is HmacSHA1)
>
> Is there a reason why to default to sha1, would be for a new feature good to start with a modern default (or none). I know that hmacsha1 in this usecase would still be ok, but that does Not mean that longer (and faster) hashes dont make Sense. If this is picked due to rfc compatibility, maybe name the reference in a comment?
Sean Mullan answered this question in an earlier comment. That target is JDK 27.
"This allows users to try out the new algorithm in JDK 26 before we switch to it."
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2370296392
More information about the security-dev
mailing list