RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v7]
Mark Powers
mpowers at openjdk.org
Wed Sep 24 02:51:45 UTC 2025
On Mon, 22 Sep 2025 21:13:38 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> default salt length and one other comment from Weijun
>
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1964:
>
>> 1962: ((PBEParameterSpec)params).getIterationCount(),
>> 1963: kdfHmac.equals("HmacSHA512") ? 64*8 : 32*8));
>> 1964: Mac m = Mac.getInstance(kdfHmac);
>
> `kdfHmac` is used as `prfHmac` here. If you intend to only support them being the same, please error out as early as possible when parsing PBMAC1-params. You might be able to support them at loading but still lack enough info at storing.
An exception is now thrown in `MacData` when reading.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2373906919
More information about the security-dev
mailing list