RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v8]
Weijun Wang
weijun at openjdk.org
Wed Sep 24 13:27:18 UTC 2025
On Wed, 24 Sep 2025 02:57:12 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)
>
> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>
> fix behavior with keytool
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1487:
> 1485: int writeIterationCount = macIterationCount;
> 1486:
> 1487: if (newKeystore) {
I cannot see how `newKeystore` is useful. Back when it's set to true, `macAlgorithm` was also set to `defaultMacAlgorithm()`. Therefore there is no need to try `defaultMacAlgorithm()` again below. As for `writeIterationCount`, for a new keystore it is -1, so we can use this to decide whether it should be assigned `defaultMacIterationCount()`.
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1493:
> 1491: if (!(kdfHmac.equals("HmacSHA512") ||
> 1492: kdfHmac.equals("HmacSHA256"))) {
> 1493: kdfHmac = pbmac1Hmac; // use value associated with keystore
`kdfHmac` is probably null now. If you decide to reject other algorithms (which I don't find necessary), error out.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2375788823
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2375791879
More information about the security-dev
mailing list