RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v7]
Sean Mullan
mullan at openjdk.org
Wed Sep 24 14:05:49 UTC 2025
On Tue, 23 Sep 2025 18:15:00 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> default salt length and one other comment from Weijun
>
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 2196:
>
>> 2194: String algName =
>> 2195: macData.getDigestAlgName().toUpperCase(Locale.ENGLISH);
>> 2196: if (algName.equals("PBMAC1")) {
>
> We should manage to move algorithm-specific logic inside `MacData` as much as possible, ideally everything. For example, instead of letting `macData.getDigestAlgName()` returning either "HmacSHA256" or "PBMAC1", it should return the final `macAlgorithm` we need. If the calculation and verification must be different, they can also be moved into `MacData`.
This makes sense.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2375918643
More information about the security-dev
mailing list