<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

  </head>

  <body>

    here are the main changes that we pushed for JDK 11u:<br>

    <br>

    <blockquote type="cite">

      <pre style="color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; overflow-wrap: break-word; white-space: pre-wrap;">diff --git a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java

index a62452bdcd..441f2b651e 100644

--- a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java

+++ b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java

@@ -101,10 +101,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi {

             = "PBEWithHmacSHA256AndAES_256";

     private static final String DEFAULT_KEY_PBE_ALGORITHM

             = "PBEWithHmacSHA256AndAES_256";

-    private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256";

+    private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA1";

     private static final int DEFAULT_CERT_PBE_ITERATION_COUNT = 10000;

     private static final int DEFAULT_KEY_PBE_ITERATION_COUNT = 10000;

-    private static final int DEFAULT_MAC_ITERATION_COUNT = 10000;

+    private static final int DEFAULT_MAC_ITERATION_COUNT = 100000;

     // Legacy settings. Used when "keystore.pkcs12.legacy" is set.

     private static final String LEGACY_CERT_PBE_ALGORITHM

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security

index b0c5beccf6..893567071c 100644

--- a/src/java.base/share/conf/security/java.security

+++ b/src/java.base/share/conf/security/java.security

@@ -1200,12 +1200,12 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep

 # The algorithm used to calculate the optional MacData at the end of a PKCS12

 # file. This can be any HmacPBE algorithm defined in the Mac section of the

 # Java Security Standard Algorithm Names Specification. When set to "NONE",

-# no Mac is generated. The default value is "HmacPBESHA256".

-#keystore.pkcs12.macAlgorithm = HmacPBESHA256

+# no Mac is generated. The default value is "HmacPBESHA1".

+#keystore.pkcs12.macAlgorithm = HmacPBESHA1

 # The iteration count used by the MacData algorithm. This value must be a

-# positive integer. The default value is 10000.

-#keystore.pkcs12.macIterationCount = 10000

+# positive integer. The default value is 100000.

+#keystore.pkcs12.macIterationCount = 100000

 #

 # Enhanced exception message information</pre>

    </blockquote>

    <p>regards,<br>

      Sean.<br>

    </p>

    <div class="moz-cite-prefix">On 28/05/2021 15:02, Doerr, Martin

      wrote:<br>

    </div>

    <blockquote type="cite" cite="mid:AM4PR02MB3057B3E7AE927BCEE93F15E69A229@AM4PR02MB3057.eurprd02.prod.outlook.com">

      <meta name="Generator" content="Microsoft Word 15 (filtered

        medium)">

      <style>@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face

        {font-family:Menlo;

        panose-1:2 11 6 9 3 8 4 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}div.WordSection1

        {page:WordSection1;}</style>

      <div class="WordSection1">

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi

            Sean,<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">thank you for your quick reply. I was already

            hoping to get such feedback.<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">I had read the CSR and I had already thought

            that you guys didn’t revert the complete change.<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">My problem is that I can’t see what exactly you

            have done.<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">I’m concerned about making it insecure by

            creating a mixture of old and new behavior. How can I ensure

            to get the same behavior as 11.0.12-oracle?</span><span style="mso-fareast-language:EN-US"><o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Would it be possible to publish your security

            file and PKCS12KeyStore.java?<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Otherwise, wouldn’t it be safer to stick with

            the old behavior until we switch to the new one in a future

            release?<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Best regards,<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Martin<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>

        <div style="border:none;border-top:solid #B5C4DF

          1.0pt;padding:3.0pt 0cm 0cm 0cm">

          <p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">Von:

              </span></b><span style="font-size:12.0pt;color:black">Seán

              Coffey <a class="moz-txt-link-rfc2396E" href="mailto:sean.coffey@oracle.com"><sean.coffey@oracle.com></a><br>

              <b>Datum: </b>Freitag, 28. Mai 2021 um 15:42<br>

              <b>An: </b>Doerr, Martin <a class="moz-txt-link-rfc2396E" href="mailto:martin.doerr@sap.com"><martin.doerr@sap.com></a>,

              <a class="moz-txt-link-abbreviated" href="mailto:jdk-updates-dev@openjdk.java.net">jdk-updates-dev@openjdk.java.net</a>

              <a class="moz-txt-link-rfc2396E" href="mailto:jdk-updates-dev@openjdk.java.net"><jdk-updates-dev@openjdk.java.net></a>, security-dev

              <a class="moz-txt-link-rfc2396E" href="mailto:security-dev@openjdk.java.net"><security-dev@openjdk.java.net></a>, Hohensee, Paul

              <a class="moz-txt-link-rfc2396E" href="mailto:hohensee@amazon.com"><hohensee@amazon.com></a><br>

              <b>Betreff: </b>Re: [11u] RFR: 8267599: Revert the change

              to the default PKCS12 macAlgorithm and macIterationCount

              props for 11u/8u/7u<o:p></o:p></span></p>

        </div>

        <div>

          <p class="MsoNormal">Martin,<br>

            <br>

            you seem to be suggesting a full revert of the JDK-8153005

            changes. Note <br>

            that the Oracle JDK changes only relate to to the default

            PKCS12 <br>

            macAlgorithm and macIterationCount (back to HmacPBESHA1 and

            100000 <br>

            respectively). While there are other interoperability

            concerns with the <br>

            keystore.pkcs12.certProtectionAlgorithm and <br>

            keystore.pkcs12.keyProtectionAlgorithm values [1], they

            relate to JDK <br>

            8u/7u where PKCS12 is not the default keystore type.<br>

            <br>

            regards,<br>

            Sean.<br>

            <br>

            [1] <a href="https://bugs.openjdk.java.net/browse/JDK-8267837" moz-do-not-send="true">https://bugs.openjdk.java.net/browse/JDK-8267837</a><br>

            <br>

            On 28/05/2021 13:52, Doerr, Martin wrote:<br>

            > Hi,<br>

            ><br>

            > Oracle has reverted the changes from JDK-8153005

            backport in 11.0.12-oracle for interoperability reasons.

            See:<br>

            > <a href="https://bugs.openjdk.java.net/browse/JDK-8267599" moz-do-not-send="true">https://bugs.openjdk.java.net/browse/JDK-8267599</a><br>

            > and CSR:<br>

            > <a href="https://bugs.openjdk.java.net/browse/JDK-8267701" moz-do-not-send="true">https://bugs.openjdk.java.net/browse/JDK-8267701</a><br>

            ><br>

            > I had to adapt the small test addition from JDK-8266293

            (see "// 8266293" comment in ParamsPreferences.java):<br>

            > <a href="http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/" moz-do-not-send="true">

http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/</a><br>

            ><br>

            > Please review.<br>

            > Comments?<br>

            ><br>

            > Best regards,<br>

            > Martin<br>

            ><o:p></o:p></p>

        </div>

      </div>

    </blockquote>

  </body>

</html>