RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v3]
Mark Powers
mpowers at openjdk.org
Wed Sep 24 02:51:42 UTC 2025
On Mon, 22 Sep 2025 22:47:10 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Then you can't read in an old keystore and write it back out as a PBMAC1 keystore?
>>
>> I thought the PBE* security property value, if present, applied to all keystore writes.
>
> It writes back using the original Mac algorithm.
>
> If you really want to "upgrade" a keystore, run `keytool -importkeystore`.
Another iteration on this (sigh). This sequence now works:
keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias a -dname CN=a -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA512
keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias b -dname CN=b -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256
keytool -importkeystore -srckeystore ks -storepass changeit -destkeystore ks.new -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2373906624
More information about the security-dev
mailing list