On Fri, 30 Apr 2021 17:35:46 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> `PKCS12KeyStore` always uses a 20-byte salt in encryption but
> PBEWithMD5AndDES only accepts 8-byte salt. With this code change, the salt
> used for this algorithm will be 8 bytes.
>
> RFC 2898 only requires the salt to be at least 8 bytes, but I don't intend to
> modify the `PBES1Core.java` to accept a long salt. Otherwise, a newly
> generated PKCS #12 file using a long salt will not be recognized by an old
> JDK.
>
> Also, although `PBES1Core.java` also take cares of another algorithm named
> PBEWithMD5AndDESede but it's not usable in a PKCS #12 keystore as we have
> not defined its Object Identifier anywhere.
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 811:
> 809: byte[] salt = getSalt();
> 810: if (KnownOIDs.findMatch(algorithm) ==
> KnownOIDs.PBEWithMD5AndDES) {
> 811: // PBEWithMD5AndDES requires a 8-byte salt
nit: maybe use "PBES1 scheme such as PBEWithMD5AndDES requires a 8-byte salt"
-------------
PR: https://git.openjdk.java.net/jdk/pull/3822
