On Thu, 3 Apr 2025 22:58:39 GMT, Mark Powers <[email protected]> wrote:
> [JDK-8343232](https://bugs.openjdk.org/browse/JDK-8343232) I cannot find a place how a new keystore can be generated using the new algorithm. I added `-J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256` to a keytool command and it fails: $ keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias a -dname CN=a -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256 -debug Command line args: [-keystore, ks, -keyalg, ec, -storepass, changeit, -genkeypair, -alias, a, -dname, CN=a, -debug] Generating 384-bit EC (secp384r1) key pair and self-signed certificate (SHA384withECDSA) with a validity of 90 days for: CN=a keytool error: java.io.IOException: Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBEHMACSHA256 not available Exception in thread "main" java.io.IOException: Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBEHMACSHA256 not available at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2204) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) at java.base/java.security.KeyStore.load(KeyStore.java:1502) at java.base/java.security.KeyStore.getInstance(KeyStore.java:1824) at java.base/java.security.KeyStore.getInstance(KeyStore.java:1708) at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1396) at java.base/sun.security.tools.keytool.Main.run(Main.java:422) at java.base/sun.security.tools.keytool.Main.main(Main.java:403) Caused by: java.security.NoSuchAlgorithmException: Algorithm HmacPBEHMACSHA256 not available at java.base/javax.crypto.Mac.getInstance(Mac.java:192) at java.base/sun.security.pkcs12.PKCS12KeyStore.processMacData(PKCS12KeyStore.java:1939) at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2198) ... 7 more The exception above is thrown after keytool generated the keystore and try to read some info from inside. The pkcs12 file seems invalid, its MacData is still the old format (not PBMAC1) with a problematic algorithm: ... 03CB:004C [2] SEQUENCE 03CD:0030 [20] SEQUENCE 03CF:000C [200] SEQUENCE 03D1:000A [2000] OID 1.2.840.113549.2.9 (HmacSHA256) 03DB:0022 [201] OCTET STRING (1410868021, 32 bytes) 0000: 5F 0D EA C5 9F 2B 66 B3 5D 7D A4 2A 13 CF EF E6 _....+f.]..*.... 0010: 09 D3 E1 57 6D D2 DB 14 AB B3 18 B0 F5 E3 4C B9 ...Wm.........L. 03FD:0016 [21] OCTET STRING (-1902982241, 20 bytes) 0000: 23 7C B7 7C AC BB 38 E7 23 15 69 15 43 F9 FB CC #.....8.#.i.C... 0010: C7 C7 92 0F .... 0413:0004 [22] INTEGER 10000 The OID at position [2000] used to be SHA-256. ------------- PR Comment: https://git.openjdk.org/jdk/pull/24429#issuecomment-3258401867
