RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v10]
Weijun Wang
weijun at openjdk.org
Mon Sep 29 21:11:11 UTC 2025
On Mon, 29 Sep 2025 20:44:29 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> another day another iteration
>
> src/java.base/share/classes/sun/security/pkcs12/MacData.java line 260:
>
>> 258:
>> 259: var skf = SecretKeyFactory.getInstance(kdfHmac.equals("HmacSHA512") ?
>> 260: "PBKDF2WithHmacSHA512" : "PBKDF2WithHmacSHA256");
>
> Why not just use `"PBKDF2With" + kdfHmac`? What if `kdfHmac` is "HmacSHA384"?
Also, for old algorithms, this `SecretKeyFactory` should not be used, even if the final result can also be used. Use the old `getPBEKey` code here.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2389234712
More information about the security-dev
mailing list