RFR: 8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) [v10]
Thomas Fitzsimmons
fitzsim at openjdk.org
Tue Sep 30 16:09:53 UTC 2025
On Mon, 29 Sep 2025 21:25:42 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> `Mac.PBEWithHmacSHA256` is not used because inside its SunJCE implementation the PBKDF2 key length is hardcoded to the Hmac's _block_ length. On the other hand, in PKCS12's PBMAC1, the key length SHOULD be the _output_ length of Hmac.
Makes sense, thanks for the explanation; I rechecked the code and found the two differing `PBEKeySpec` constructions.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24429#issuecomment-3352890070
More information about the security-dev
mailing list