RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v10]

Thomas Fitzsimmons fitzsim at openjdk.org
Mon Sep 29 20:49:10 UTC 2025 

On Mon, 29 Sep 2025 03:45:38 GMT, Mark Powers <mpowers at openjdk.org> wrote:

>> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232)
>
> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
> 
>   another day another iteration

(This more of a usage report than a review.)

I have been following along as this patch evolves, testing it against `SunPKCS11`.

I have been configuring `java.security` with:


security.provider.1=SunPKCS11 /tmp/nss.txt
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL


then running:


keytool -J-Djava.security.debug=all -list -keystore rfc-9579-a.1.p12 -storepass 1234 -v


As of commit https://github.com/openjdk/jdk/pull/24429/commits/ecda43f557b4f96c9f54287b13e7cf7056fb8e94, the patch requested `Mac.PBEWithHmacSHA256` directly.  `SunPKCS11` does not claim to implement that algorithm name.  So even though (in `java.security`) `SunPKCS11` took priority over `SunJCE`, `SunJCE`'s `HMAC-SHA256` algorithm was being used:


   3236:Provider[0x3|main|KeyStore.java:822|2025-09-23 16:09:08.499]: KeyStore.PKCS12 type from: SUN
   3240:Provider[0x3|main|Cipher.java:1606|2025-09-23 16:09:08.614]: Cipher.PBEWithHmacSHA256AndAES_256, mode: decryption, algorithm from: SunPKCS11-NSS

   [Start of SunJCE HMAC-SHA256 load messages]
   3243:Provider[0x3|main|MessageDigest.java:200|2025-09-23 16:09:08.735]: MessageDigest.SHA-256 algorithm from: SunPKCS11-NSS
   3244:Provider[0x3|main|MessageDigest.java:200|2025-09-23 16:09:08.739]: MessageDigest.SHA-256 algorithm from: SunPKCS11-NSS
   3245:Provider[0x3|main|Mac.java:446|2025-09-23 16:09:08.740]: Mac.HmacSHA256 algorithm from: SunJCE
   7342:Provider[0x3|main|Mac.java:473|2025-09-23 16:09:09.129]: Mac.PBEWithHmacSHA256 algorithm from: SunJCE
   [End of SunJCE HMAC-SHA256 load messages]

   7346:Provider[0x3|main|Signature.java:545|2025-09-23 16:09:09.200]: Signature.SHA256withRSA verification algorithm from: SunPKCS11-NSS
   7373:Provider[0x3|main|MessageDigest.java:200|2025-09-23 16:09:09.422]: MessageDigest.SHA-1 algorithm from: SunPKCS11-NSS
   7375:Provider[0x3|main|MessageDigest.java:200|2025-09-23 16:09:09.422]: MessageDigest.SHA-256 algorithm from: SunPKCS11-NSS

   7455:Provider[0x3|main|KeyStore.java:822|2025-09-23 16:09:09.466]: KeyStore.PKCS12 type from: SUN
   7457:Provider[0x3|main|Cipher.java:1606|2025-09-23 16:09:09.466]: Cipher.PBEWithHmacSHA256AndAES_256, mode: decryption, algorithm from: SunPKCS11-NSS

   [Start of SunJCE HMAC-SHA256 load messages]
   7460:Provider[0x3|main|MessageDigest.java:200|2025-09-23 16:09:09.468]: MessageDigest.SHA-256 algorithm from: SunPKCS11-NSS
   7461:Provider[0x3|main|MessageDigest.java:200|2025-09-23 16:09:09.468]: MessageDigest.SHA-256 algorithm from: SunPKCS11-NSS
   7462:Provider[0x3|main|Mac.java:446|2025-09-23 16:09:09.468]: Mac.HmacSHA256 algorithm from: SunJCE
  11559:Provider[0x3|main|Mac.java:473|2025-09-23 16:09:09.831]: Mac.PBEWithHmacSHA256 algorithm from: SunJCE
   [End of SunJCE HMAC-SHA256 load messages]


Commit https://github.com/openjdk/jdk/pull/24429/commits/7a010df9b6c75ac151c53979febcda56ec563ab8 fixed this issue by removing the "PBEWith" from the name:


    private void processMacData(AlgorithmParameterSpec params,
            MacData macData, char[] password, byte[] data, String macAlgorithm)
            throws  Exception {
        final String kdfHmac;
        String tmp;

        tmp = macAlgorithm.replace("PBEWith", "");
        if (!(tmp.equals("HmacSHA512") || tmp.equals("HmacSHA256"))) {
            kdfHmac = macAlgorithm;
        } else {
            kdfHmac = tmp;
        }


Now `SunPKCS11`'s `HMAC-SHA256` is used, so my testing is satisfied:


   3236:Provider[0x3|main|KeyStore.java:822|2025-09-23 15:58:07.252]: KeyStore.PKCS12 type from: SUN
   3240:Provider[0x3|main|Cipher.java:1606|2025-09-23 15:58:07.396]: Cipher.PBEWithHmacSHA256AndAES_256, mode: decryption, algorithm from: SunPKCS11-NSS

   [Start SunPKCS11 HMAC-SHA256 load messages]
   3243:Provider[0x3|main|Mac.java:446|2025-09-23 15:58:07.521]: Mac.HmacSHA256 algorithm from: SunPKCS11-NSS
   [End   SunPKCS11 HMAC-SHA256 load messages]

   3245:Provider[0x3|main|Signature.java:545|2025-09-23 15:58:07.591]: Signature.SHA256withRSA verification algorithm from: SunPKCS11-NSS
   3272:Provider[0x3|main|MessageDigest.java:200|2025-09-23 15:58:07.813]: MessageDigest.SHA-1 algorithm from: SunPKCS11-NSS
   3274:Provider[0x3|main|MessageDigest.java:200|2025-09-23 15:58:07.821]: MessageDigest.SHA-256 algorithm from: SunPKCS11-NSS

   3354:Provider[0x3|main|KeyStore.java:822|2025-09-23 15:58:07.861]: KeyStore.PKCS12 type from: SUN
   3356:Provider[0x3|main|Cipher.java:1606|2025-09-23 15:58:07.862]: Cipher.PBEWithHmacSHA256AndAES_256, mode: decryption, algorithm from: SunPKCS11-NSS

   [Start SunPKCS11 HMAC-SHA256 load messages]
   3359:Provider[0x3|main|Mac.java:446|2025-09-23 15:58:07.864]: Mac.HmacSHA256 algorithm from: SunPKCS11-NSS
   [End   SunPKCS11 HMAC-SHA256 load messages]


I didn't see this explicitly discussed in the review comments, so I thought I would mention it.

I wonder if it might make sense in a follow up PR to "future proof" `SunPKCS11` by having it declare support for `Mac.PBEWithHmacSHA256` by name, in case `PKCS12KeyStore.java` ever wanted to request that directly.

-------------

PR Review: https://git.openjdk.org/jdk/pull/24429#pullrequestreview-3281733011

More information about the security-dev mailing list