RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v8]
Mark Powers
mpowers at openjdk.org
Mon Sep 29 15:05:28 UTC 2025
On Wed, 24 Sep 2025 16:53:17 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1493:
>>
>>> 1491: if (!(kdfHmac.equals("HmacSHA512") ||
>>> 1492: kdfHmac.equals("HmacSHA256"))) {
>>> 1493: kdfHmac = pbmac1Hmac; // use value associated with keystore
>>
>> `pbmac1Hmac` is probably null now. If you decide to reject other algorithms (which I don't find necessary), error out.
>
> Why is `pbmac1Hmac` necessary? Do we want to support writing with different PRF and HMAC?
Writing with different PRF and HMAC **is** supported. Test vector #2 in the RFC passes.
`pbmac1Hmac` is gone.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2388313026
More information about the security-dev
mailing list