RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v8]
Weijun Wang
weijun at openjdk.org
Wed Sep 24 16:56:18 UTC 2025
On Wed, 24 Sep 2025 13:24:49 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> fix behavior with keytool
>
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1493:
>
>> 1491: if (!(kdfHmac.equals("HmacSHA512") ||
>> 1492: kdfHmac.equals("HmacSHA256"))) {
>> 1493: kdfHmac = pbmac1Hmac; // use value associated with keystore
>
> `pbmac1Hmac` is probably null now. If you decide to reject other algorithms (which I don't find necessary), error out.
Why is `pbmac1Hmac` necessary? Do we want to support writing with different PRF and HMAC?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2376426464
More information about the security-dev
mailing list