Hi Sean, thank you for your quick reply. I was already hoping to get such feedback.
I had read the CSR and I had already thought that you guys didn’t revert the complete change. My problem is that I can’t see what exactly you have done. I’m concerned about making it insecure by creating a mixture of old and new behavior. How can I ensure to get the same behavior as 11.0.12-oracle? Would it be possible to publish your security file and PKCS12KeyStore.java? Otherwise, wouldn’t it be safer to stick with the old behavior until we switch to the new one in a future release? Best regards, Martin Von: Seán Coffey <sean.cof...@oracle.com> Datum: Freitag, 28. Mai 2021 um 15:42 An: Doerr, Martin <martin.do...@sap.com>, jdk-updates-...@openjdk.java.net <jdk-updates-...@openjdk.java.net>, security-dev <security-dev@openjdk.java.net>, Hohensee, Paul <hohen...@amazon.com> Betreff: Re: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u Martin, you seem to be suggesting a full revert of the JDK-8153005 changes. Note that the Oracle JDK changes only relate to to the default PKCS12 macAlgorithm and macIterationCount (back to HmacPBESHA1 and 100000 respectively). While there are other interoperability concerns with the keystore.pkcs12.certProtectionAlgorithm and keystore.pkcs12.keyProtectionAlgorithm values [1], they relate to JDK 8u/7u where PKCS12 is not the default keystore type. regards, Sean. [1] https://bugs.openjdk.java.net/browse/JDK-8267837 On 28/05/2021 13:52, Doerr, Martin wrote: > Hi, > > Oracle has reverted the changes from JDK-8153005 backport in 11.0.12-oracle > for interoperability reasons. See: > https://bugs.openjdk.java.net/browse/JDK-8267599 > and CSR: > https://bugs.openjdk.java.net/browse/JDK-8267701 > > I had to adapt the small test addition from JDK-8266293 (see "// 8266293" > comment in ParamsPreferences.java): > http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/ > > Please review. > Comments? > > Best regards, > Martin >
