RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v8]
Weijun Wang
weijun at openjdk.org
Wed Sep 24 16:44:41 UTC 2025
On Wed, 24 Sep 2025 15:58:16 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> `newKeystore` and `macAlgorithm` are not always set together. When creating a keystore, they are both set, but when reading a keystore only `macAlgorithm` is set. So if I read first and then write (no create), `newKeystore` will not be set. Therefore, I can't remove `newKeystore` and only use `macAlgorithm` if that's what you're suggesting.
>>
>> I agree that `defaultMacAlgorithm()` can be replaced by `macAlgorithm` on lines 1489 and 1490.
>>
>> `writeIterationCount` is initialized to `defaultMacIterationCount()` on. line 1253 so it is never -1 when `calculateMac` is entered. `writeIterationCount` is also set when a keystore is read (lines 2209 and 2220). I probably shouldn't be doing that.
>
> Maybe `macAlgorithm` shouldn't be set when reading a keystore.
There is no difference whether `newKeystore` is true or false. Yes, I can see `writeIterationCount` has already been set to `defaultMacIterationCount()` before, but then there is no need to set it to the same value again here.
`macAlgorithm` needs to be set when reading a keystore. This ensures when `store` is called, the original algorithm is used.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2376395823
More information about the security-dev
mailing list