RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v7]
Mark Powers
mpowers at openjdk.org
Mon Sep 22 21:04:55 UTC 2025
On Wed, 9 Jul 2025 05:42:52 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> default salt length and one other comment from Weijun
>
> src/java.base/share/classes/javax/crypto/spec/PBMAC1ParameterSpec.java line 41:
>
>> 39: * @since 26
>> 40: */
>> 41: public class PBMAC1ParameterSpec implements AlgorithmParameterSpec {
>
> PKCS#12 states that other KDF may be used, e.g. Scrypt. The current API seems to be hardcoded to PBKDF2, e.g. salt, iteration count, keyLength, prf, etc. Have you considered separating it out? I know that encapsulating all these different possibilities can be complicated. If this class doesn't have to be under javax.crypto,spec, then we can change it as we see fit. Otherwise, we will need spending more time designing the API...
This was considered, but it was finally decided deliver a minimally compliant implementation, e.g. a PBKDF2 supporting only HmacSHA256 and HmacSHA512.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2370299664
More information about the security-dev
mailing list