RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v7]
Mark Powers
mpowers at openjdk.org
Tue Sep 30 04:00:53 UTC 2025
On Tue, 23 Sep 2025 11:40:03 GMT, Matthew Donovan <mdonovan at openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>>
>> default salt length and one other comment from Weijun
>
> test/jdk/sun/security/pkcs12/PBMAC1Encoding.java line 39:
>
>> 37: public class PBMAC1Encoding {
>> 38: // A.1. Valid PKCS #12 File with SHA-256 HMAC and PRF
>> 39: static final String A1 =
>
> Can you add a comment explaining how to create these Strings?
I added a comment that these tests are from RFC 9879. The RFC doesn't mention how the strings were created. They are base64 encoded PKCS12 keystores.
> test/jdk/sun/security/pkcs12/PBMAC1Encoding.java line 423:
>
>> 421: ks = KeyStore.getInstance("PKCS12");
>> 422: ks.load(new ByteArrayInputStream(Base64.getDecoder().decode(A2)),
>> 423: password.toCharArray());
>
> Throw an exception after `ks.load()`. Otherwise, if `load()` doesn't throw anything, the test will pass when it shouldn't.
A2 should pass now. `load()` shouldn't throw anything.
> test/jdk/sun/security/pkcs12/PBMAC1Encoding.java line 445:
>
>> 443: ks = KeyStore.getInstance("PKCS12");
>> 444: ks.load(new ByteArrayInputStream(Base64.getDecoder().decode(A4)),
>> 445: password.toCharArray());
>
> throw an exception after `ks.load()` here and for A.5 and A.6 test cases.
A4-A6 are expected to throw an exception. That's why I catch the exception and print "pass".
Am I missing something?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2389780036
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2389780245
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2389780637
More information about the security-dev
mailing list