Re: [External] : AW: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

Fri, 28 May 2021 07:37:18 -0700 

here are the main changes that we pushed for JDK 11u:


diff --git 
a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java 
b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
index a62452bdcd..441f2b651e 100644
--- a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@@ -101,10 +101,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
              = "PBEWithHmacSHA256AndAES_256";
      private static final String DEFAULT_KEY_PBE_ALGORITHM
              = "PBEWithHmacSHA256AndAES_256";
-    private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256";
+    private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA1";
      private static final int DEFAULT_CERT_PBE_ITERATION_COUNT = 10000;
      private static final int DEFAULT_KEY_PBE_ITERATION_COUNT = 10000;
-    private static final int DEFAULT_MAC_ITERATION_COUNT = 10000;
+    private static final int DEFAULT_MAC_ITERATION_COUNT = 100000;
// Legacy settings. Used when "keystore.pkcs12.legacy" is set. 
      private static final String LEGACY_CERT_PBE_ALGORITHM
diff --git a/src/java.base/share/conf/security/java.security 
b/src/java.base/share/conf/security/java.security
index b0c5beccf6..893567071c 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -1200,12 +1200,12 @@ jceks.key.serialFilter = 
java.base/java.lang.Enum;java.base/java.security.KeyRep
  # The algorithm used to calculate the optional MacData at the end of a PKCS12
  # file. This can be any HmacPBE algorithm defined in the Mac section of the
  # Java Security Standard Algorithm Names Specification. When set to "NONE",
-# no Mac is generated. The default value is "HmacPBESHA256".
-#keystore.pkcs12.macAlgorithm = HmacPBESHA256
+# no Mac is generated. The default value is "HmacPBESHA1".
+#keystore.pkcs12.macAlgorithm = HmacPBESHA1
# The iteration count used by the MacData algorithm. This value must be a 
-# positive integer. The default value is 10000.
-#keystore.pkcs12.macIterationCount = 10000
+# positive integer. The default value is 100000.
+#keystore.pkcs12.macIterationCount = 100000
# 
  # Enhanced exception message information


regards,
Sean.

On 28/05/2021 15:02, Doerr, Martin wrote:


Hi Sean,

thank you for your quick reply. I was already hoping to get such feedback.
I had read the CSR and I had already thought that you guys didn’t revert the complete change. 

My problem is that I can’t see what exactly you have done.
I’m concerned about making it insecure by creating a mixture of old and new behavior. How can I ensure to get the same behavior as 11.0.12-oracle?
Would it be possible to publish your security file and PKCS12KeyStore.java?
Otherwise, wouldn’t it be safer to stick with the old behavior until we switch to the new one in a future release? 

Best regards,

Martin

*Von: *Seán Coffey <sean.cof...@oracle.com>
*Datum: *Freitag, 28. Mai 2021 um 15:42
*An: *Doerr, Martin <martin.do...@sap.com>, jdk-updates-...@openjdk.java.net <jdk-updates-...@openjdk.java.net>, security-dev <security-dev@openjdk.java.net>, Hohensee, Paul <hohen...@amazon.com> *Betreff: *Re: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u 

Martin,

you seem to be suggesting a full revert of the JDK-8153005 changes. Note
that the Oracle JDK changes only relate to to the default PKCS12
macAlgorithm and macIterationCount (back to HmacPBESHA1 and 100000
respectively). While there are other interoperability concerns with the
keystore.pkcs12.certProtectionAlgorithm and
keystore.pkcs12.keyProtectionAlgorithm values [1], they relate to JDK
8u/7u where PKCS12 is not the default keystore type.

regards,
Sean.
[1] https://bugs.openjdk.java.net/browse/JDK-8267837 <https://bugs.openjdk.java.net/browse/JDK-8267837> 

On 28/05/2021 13:52, Doerr, Martin wrote:
> Hi,
>
> Oracle has reverted the changes from JDK-8153005 backport in 11.0.12-oracle for interoperability reasons. See: > https://bugs.openjdk.java.net/browse/JDK-8267599 <https://bugs.openjdk.java.net/browse/JDK-8267599> 
> and CSR:
> https://bugs.openjdk.java.net/browse/JDK-8267701 <https://bugs.openjdk.java.net/browse/JDK-8267701> 
>
> I had to adapt the small test addition from JDK-8266293 (see "// 8266293" comment in ParamsPreferences.java): > http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/ <http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/> 
>
> Please review.
> Comments?
>
> Best regards,
> Martin
>

Reply via email to