AW: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Hi Paul, thank you for the review! I´ll remove the extra blank line before pushing. Best regards, Martin Von: Hohensee, Paul Datum: Mittwoch, 12. Mai 2021 um 00:00 An: Doerr, Martin , jdk-updates-...@openjdk.java.net , security-dev Cc: Langer, Christoph Betreff: Re: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms There’s an extra blank line inserted at the end of java.security. Otherwise lgtm. I’m fine with using KnownOIDs.java from tip. One might object that now it’s in a different location and must be kept sync’ed with tip, but I don’t agree because the backported version must be updated only when a test that needs the update is backported, and if that’s needed it’ll be obvious what to do. Thanks, Paul From: security-dev on behalf of "Doerr, Martin" Date: Friday, April 30, 2021 at 9:35 AM To: "jdk-updates-...@openjdk.java.net" , security-dev Cc: "Langer, Christoph" Subject: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms Hi, JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity. It doesn't apply cleanly. Bug: https://bugs.openjdk.java.net/browse/JDK-8153005 CSR covering 11u: https://bugs.openjdk.java.net/browse/JDK-8228481 Original change: https://github.com/openjdk/jdk/commit/f77a6585 11u rejected hunks: http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/8153005_PKCS12_rej.txt Resolution: - Regular code is trivial to resolve, but the tests are tricky and the hunks were mostly integrated manually. - Introduce test/lib/jdk/test/lib/KnownOIDs.java as copy from jdk head src/java.base/share/classes/sun/security/util/KnownOIDs.java with last change from Oct 2020. Put into package jdk.test.lib and using System.out as debug output stream. This should make future backports easier, too. - DerUtils.java: ObjectIdentifier interface is diffent in 11u (different constructors). - Hunks in GenerateAll.java were skipped because the affected code is not in 11u (JDK-8242068). 11u backport: http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/webrev.00/ Please review. Best regards, Martin
Re: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
There’s an extra blank line inserted at the end of java.security. Otherwise lgtm. I’m fine with using KnownOIDs.java from tip. One might object that now it’s in a different location and must be kept sync’ed with tip, but I don’t agree because the backported version must be updated only when a test that needs the update is backported, and if that’s needed it’ll be obvious what to do. Thanks, Paul From: security-dev on behalf of "Doerr, Martin" Date: Friday, April 30, 2021 at 9:35 AM To: "jdk-updates-...@openjdk.java.net" , security-dev Cc: "Langer, Christoph" Subject: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms Hi, JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity. It doesn't apply cleanly. Bug: https://bugs.openjdk.java.net/browse/JDK-8153005 CSR covering 11u: https://bugs.openjdk.java.net/browse/JDK-8228481 Original change: https://github.com/openjdk/jdk/commit/f77a6585 11u rejected hunks: http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/8153005_PKCS12_rej.txt Resolution: - Regular code is trivial to resolve, but the tests are tricky and the hunks were mostly integrated manually. - Introduce test/lib/jdk/test/lib/KnownOIDs.java as copy from jdk head src/java.base/share/classes/sun/security/util/KnownOIDs.java with last change from Oct 2020. Put into package jdk.test.lib and using System.out as debug output stream. This should make future backports easier, too. - DerUtils.java: ObjectIdentifier interface is diffent in 11u (different constructors). - Hunks in GenerateAll.java were skipped because the affected code is not in 11u (JDK-8242068). 11u backport: http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/webrev.00/ Please review. Best regards, Martin
[11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Hi, JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity. It doesn't apply cleanly. Bug: https://bugs.openjdk.java.net/browse/JDK-8153005 CSR covering 11u: https://bugs.openjdk.java.net/browse/JDK-8228481 Original change: https://github.com/openjdk/jdk/commit/f77a6585 11u rejected hunks: http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/8153005_PKCS12_rej.txt Resolution: - Regular code is trivial to resolve, but the tests are tricky and the hunks were mostly integrated manually. - Introduce test/lib/jdk/test/lib/KnownOIDs.java as copy from jdk head src/java.base/share/classes/sun/security/util/KnownOIDs.java with last change from Oct 2020. Put into package jdk.test.lib and using System.out as debug output stream. This should make future backports easier, too. - DerUtils.java: ObjectIdentifier interface is diffent in 11u (different constructors). - Hunks in GenerateAll.java were skipped because the affected code is not in 11u (JDK-8242068). 11u backport: http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/webrev.00/ Please review. Best regards, Martin
Re: RFR 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On 11/24/20 11:28 AM, Weijun Wang wrote: Is “keystore.pkcs12.*” better? Or, maybe more clear? See the security properties starting with `keystore.pkcs12` in the `java.security` file for detailed information. "starting with" should be sufficient, I think. No need for the asterisk. --Sean Thanks, Max On Nov 24, 2020, at 11:23 AM, Sean Mullan wrote: On 11/17/20 4:38 PM, Weijun Wang wrote: On Apr 10, 2020, at 5:03 AM, Weijun Wang wrote: Please take a review at CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms Release note : https://bugs.openjdk.java.net/browse/JDK-8242069 I forget if the release note has been reviewed before. If not, please take a look. I made a few small wording changes and added "keystore.pkcs12" for the security properties to look for more information. --Sean Thanks, Max webrev : http://cr.openjdk.java.net/~weijun/8153005/webrev.00/ The default pkcs12 algorithms are bumped into PBE and HMAC based on SHA-256 and AES-256. Thanks, Max
Re: RFR 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Is “keystore.pkcs12.*” better? Or, maybe more clear? See the security properties starting with `keystore.pkcs12` in the `java.security` file for detailed information. Thanks, Max > On Nov 24, 2020, at 11:23 AM, Sean Mullan wrote: > > On 11/17/20 4:38 PM, Weijun Wang wrote: >>> On Apr 10, 2020, at 5:03 AM, Weijun Wang wrote: >>> >>> Please take a review at >>> >>> CSR : 8228481: Upgrade the default PKCS12 encryption/MAC >>> algorithms >>> Release note : https://bugs.openjdk.java.net/browse/JDK-8242069 >> I forget if the release note has been reviewed before. If not, please take a >> look. > > I made a few small wording changes and added "keystore.pkcs12" for the > security properties to look for more information. > > --Sean > >> Thanks, >> Max >>>webrev : http://cr.openjdk.java.net/~weijun/8153005/webrev.00/ >>> >>> The default pkcs12 algorithms are bumped into PBE and HMAC based on SHA-256 >>> and AES-256. >>> >>> Thanks, >>> Max >>>
Re: RFR 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On 11/17/20 4:38 PM, Weijun Wang wrote: On Apr 10, 2020, at 5:03 AM, Weijun Wang wrote: Please take a review at CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms Release note : https://bugs.openjdk.java.net/browse/JDK-8242069 I forget if the release note has been reviewed before. If not, please take a look. I made a few small wording changes and added "keystore.pkcs12" for the security properties to look for more information. --Sean Thanks, Max webrev : http://cr.openjdk.java.net/~weijun/8153005/webrev.00/ The default pkcs12 algorithms are bumped into PBE and HMAC based on SHA-256 and AES-256. Thanks, Max
Re: RFR 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
> On Apr 10, 2020, at 5:03 AM, Weijun Wang wrote: > > Please take a review at > > CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms > Release note : https://bugs.openjdk.java.net/browse/JDK-8242069 I forget if the release note has been reviewed before. If not, please take a look. Thanks, Max >webrev : http://cr.openjdk.java.net/~weijun/8153005/webrev.00/ > > The default pkcs12 algorithms are bumped into PBE and HMAC based on SHA-256 > and AES-256. > > Thanks, > Max >
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v4]
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision: - simplify test - merge - update README and exclude README - change ic to 1 - 8153005: Upgrade the default PKCS12 encryption/MAC algorithms - Changes: - all: https://git.openjdk.java.net/jdk/pull/473/files - new: https://git.openjdk.java.net/jdk/pull/473/files/41be78aa..31a22fd4 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=02-03 Stats: 401475 lines in 1918 files changed: 365145 ins; 23887 del; 12443 mod Patch: https://git.openjdk.java.net/jdk/pull/473.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/473/head:pull/473 PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v3]
On Fri, 9 Oct 2020 01:33:38 GMT, Weijun Wang wrote: >> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. >> Please also review the CSR at >> https://bugs.openjdk.java.net/browse/JDK-8228481. > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > update README and exclude README Marked as reviewed by mullan (Reviewer). - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v3]
On Fri, 9 Oct 2020 00:07:39 GMT, Weijun Wang wrote: >> I tried but cannot find a way to tell if a system is Windows Server 2016 or >> 2019. Their os.version is all 10.0. I've >> filed an enhancement at https://bugs.openjdk.java.net/browse/JDK-8254241 for >> it. That said, I did try running the test >> on a Windows Server 2019 using new algorithms and it succeeds. > > There are existing tests reading openssl generated pkcs12 files in > https://github.com/openjdk/jdk/tree/master/test/jdk/sun/security/pkcs12/params, > it already contains files using both > weak and strong algorithms. Update `params/README`, exclude it from the de-BASE64 list (don't know it succeeded) in the `ParamsTest.java` test. Also remove a useless call in the test. Thinking about adding a benchmark, but it will be in another commit. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v3]
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: update README and exclude README - Changes: - all: https://git.openjdk.java.net/jdk/pull/473/files - new: https://git.openjdk.java.net/jdk/pull/473/files/6b5c5b5e..41be78aa Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=01-02 Stats: 39 lines in 2 files changed: 7 ins; 6 del; 26 mod Patch: https://git.openjdk.java.net/jdk/pull/473.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/473/head:pull/473 PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v2]
On Fri, 9 Oct 2020 00:04:17 GMT, Weijun Wang wrote: >> Are you still planning, or is it possible to add a test for Windows 2019? >> Also, have you considered adding a test that >> checks if the JDK can read OpenSSL PKCS#12 files and vice versa? Maybe we >> can do that later as a follow-on issue. >> Otherwise, I will approve. > > I tried but cannot find a way to tell if a system is Windows Server 2016 or > 2019. Their os.version is all 10.0. I've > filed an enhancement at https://bugs.openjdk.java.net/browse/JDK-8254241 for > it. That said, I did try running the test > on a Windows Server 2019 using new algorithms and it succeeds. There are existing tests reading openssl generated pkcs12 files in https://github.com/openjdk/jdk/tree/master/test/jdk/sun/security/pkcs12/params, but I can add a new one using strong algorithms. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v2]
On Thu, 8 Oct 2020 16:34:59 GMT, Sean Mullan wrote: >> New commit updating ic to 1. I also created separate constants for >> DEFAULT_CERT_PBE_ITERATION_COUNT and >> DEFAULT_KEY_PBE_ITERATION_COUNT. I haven't made the change for >> LEGACY_PBE_ITERATION_COUNT since they will never change. > > Are you still planning, or is it possible to add a test for Windows 2019? > Also, have you considered adding a test that > checks if the JDK can read OpenSSL PKCS#12 files and vice versa? Maybe we can > do that later as a follow-on issue. > Otherwise, I will approve. I tried but cannot find a way to tell if a system is Windows Server 2016 or 2019. Their os.version is all 10.0. I've filed an enhancement for it. That said, I did try running the test using new algorithms and it succeeds. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v2]
On Thu, 8 Oct 2020 14:21:09 GMT, Weijun Wang wrote: >> CSR updated. More description, and iteration counts lowered to 1. Will >> update code soon. > > New commit updating ic to 1. I also created separate constants for > DEFAULT_CERT_PBE_ITERATION_COUNT and > DEFAULT_KEY_PBE_ITERATION_COUNT. I haven't made the change for > LEGACY_PBE_ITERATION_COUNT since they will never change. Are you still planning, or is it possible to add a test for Windows 2019? Also, have you considered adding a test that checks if the JDK can read OpenSSL PKCS#12 files and vice versa? Maybe we can do that later as a follow-on issue. Otherwise, I will approve. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v2]
On Wed, 7 Oct 2020 22:49:09 GMT, Weijun Wang wrote: >> CSR looks good. In "Sepcification" section: a typo in 'Thr iteration counts >> used by'. At the end, it describes the new >> system property will override the security properties and use the older and >> weaker algorithms, so suggest we could also >> add text about setting the iteration counts to the default legacy values. > > CSR updated. More description, and iteration counts lowered to 1. Will > update code soon. New commit updating ic to 1. I also created separate constants for DEFAULT_CERT_PBE_ITERATION_COUNT and DEFAULT_KEY_PBE_ITERATION_COUNT. I haven't made the change for LEGACY_PBE_ITERATION_COUNT since they will never change. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms [v2]
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: change ic to 1 - Changes: - all: https://git.openjdk.java.net/jdk/pull/473/files - new: https://git.openjdk.java.net/jdk/pull/473/files/b99611b3..6b5c5b5e Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=00-01 Stats: 52 lines in 5 files changed: 1 ins; 1 del; 50 mod Patch: https://git.openjdk.java.net/jdk/pull/473.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/473/head:pull/473 PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Wed, 7 Oct 2020 22:08:19 GMT, Hai-May Chao wrote: >> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. >> Please also review the CSR at >> https://bugs.openjdk.java.net/browse/JDK-8228481. > > Looks good. Only minor comments. CSR looks good. In "Sepcification" section: a typo in 'Thr iteration counts used by'. At the end, it describes the new system property will override the security properties and use the older and weaker algorithms, so suggest we could also add text about setting the iteration counts to the default legacy values. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Wed, 7 Oct 2020 22:20:07 GMT, Hai-May Chao wrote: >> Looks good. Only minor comments. > > CSR looks good. In "Sepcification" section: a typo in 'Thr iteration counts > used by'. At the end, it describes the new > system property will override the security properties and use the older and > weaker algorithms, so suggest we could also > add text about setting the iteration counts to the default legacy values. CSR updated. More description, and iteration counts lowered to 1. Will update code soon. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
Looks good. Only minor comments.
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 103:
> 101: = "PBEWithHmacSHA256AndAES_256";
> 102: private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256";
> 103: private static final int DEFAULT_PBE_ITERATION_COUNT = 5;
As we have keystore.pkcs12.certPbeIterationCount and
keystore.pkcs12.keyPbeIterationCount, I would like to suggest that
we can define DEFAULT_CERT_PBE_ITERATION_COUNT and
DEFAULT_KEY_PBE_ITERATION_COUNT, specifying each of the values for
finer granularity. Same for LEGACY_PBE_ITERATION_COUNT.
test/jdk/sun/security/mscapi/VeryLongAlias.java line 48:
> 46:
> 47: static String alias = String.format("%0512d", new
> Random().nextInt(10));
> 48:
Add bug number to @bug.
-
PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Wed, 7 Oct 2020 22:06:28 GMT, Hai-May Chao wrote:
>> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
>> Please also review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8228481.
>
> test/jdk/sun/security/mscapi/VeryLongAlias.java line 48:
>
>> 46:
>> 47: static String alias = String.format("%0512d", new
>> Random().nextInt(10));
>> 48:
>
> Add bug number to @bug.
OK.
-
PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Tue, 6 Oct 2020 18:34:34 GMT, Sean Mullan wrote: >> I only know Windows Server 2019 can accept the new algorithms. > > Ok, but maybe we can split this test in two and use the jtreg @requires tag > to run the newer algorithms on Windows > Server 2019? It would be a useful test if this is the only test where we test > PKCS12 interop with Windows. OK. Or I can see if there is an existing method in test/lib that can detects the version. - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Fri, 2 Oct 2020 19:07:20 GMT, Weijun Wang wrote:
>> test/jdk/sun/security/mscapi/VeryLongAlias.java line 51:
>>
>>> 49: public static void main(String[] args) throws Throwable {
>>> 50:
>>> 51: // Using the old algorithms to make sure the file is recognized
>>
>> Do we also want to have a test that uses the new algorithms?
>
> I only know Windows Server 2019 can accept the new algorithms.
Ok, but maybe we can split this test in two and use the jtreg @requires tag to
run the newer algorithms on Windows
Server 2019? It would be a useful test if this is the only test where we test
PKCS12 interop with Windows.
-
PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Fri, 2 Oct 2020 18:44:48 GMT, Sean Mullan wrote:
>> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
>> Please also review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8228481.
>
> test/jdk/sun/security/mscapi/VeryLongAlias.java line 51:
>
>> 49: public static void main(String[] args) throws Throwable {
>> 50:
>> 51: // Using the old algorithms to make sure the file is recognized
>
> Do we also want to have a test that uses the new algorithms?
I only know Windows Server 2019 can accept the new algorithms.
> test/lib/jdk/test/lib/security/DerUtils.java line 1:
>
>> 1: /*
>
> Is this test change supposed to be a part of this fix?
Yes, the change simplifies `checkAlg` calls so they don't need to convert
`KnownOIDs` or `String` to `ObjectIdentifier`
first.
-
PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote: > Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. test/lib/jdk/test/lib/security/DerUtils.java line 1: > 1: /* Is this test change supposed to be a part of this fix? - PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
test/jdk/sun/security/mscapi/VeryLongAlias.java line 51:
> 49: public static void main(String[] args) throws Throwable {
> 50:
> 51: // Using the old algorithms to make sure the file is recognized
Do we also want to have a test that uses the new algorithms?
-
PR: https://git.openjdk.java.net/jdk/pull/473
Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote: > Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. TBD: We bumped iteration counts for PBE and HMAC to 5 and 10 when we were using weak algorithms. Now that the algorithms are strong, we can consider lower them. Currently, openssl 3.0.0 uses 2048 and Windows Server 2019 uses 2000. - PR: https://git.openjdk.java.net/jdk/pull/473
RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. Please also review the CSR at https://bugs.openjdk.java.net/browse/JDK-8228481. - Commit messages: - 8153005: Upgrade the default PKCS12 encryption/MAC algorithms Changes: https://git.openjdk.java.net/jdk/pull/473/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=473&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8153005 Stats: 445 lines in 6 files changed: 170 ins; 103 del; 172 mod Patch: https://git.openjdk.java.net/jdk/pull/473.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/473/head:pull/473 PR: https://git.openjdk.java.net/jdk/pull/473
RFR 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Please take a review at CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms Release note : https://bugs.openjdk.java.net/browse/JDK-8242069 webrev : http://cr.openjdk.java.net/~weijun/8153005/webrev.00/ The default pkcs12 algorithms are bumped into PBE and HMAC based on SHA-256 and AES-256. Thanks, Max
