On Fri, 5 Sep 2025 12:06:53 GMT, Sean Mullan <[email protected]> wrote:
>> Mark Powers has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> a few more comments
>
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1489:
>
>> 1487: final MacData macData;
>> 1488:
>> 1489: if (macAlgorithm.equals("PBMAC1")) {
>
> The PBMAC1 algorithms are already defined in the standard algorithm names
> spec, see
> https://download.java.net/java/early_access/jdk25/docs/specs/security/standard-names.html#mac-algorithms
>
> The default value of the `keystore.pkcs12.macAlgorithm` security property in
> the `java.security`file should be changed to "PBEWithHmacSHA256" as part of
> this change.
>
> So you don't need to check if the algorithm is "PBMAC1", just use the
> algorithm that the property is set to.
Not sure if any tests will break if we make "PBEWithHmacSHA256" the default.
I'll check.
If the `keystore.pkcs12.macAlgorithm` security property is **not** changed,
then I believe the rule is to write the keystore as it was read, meaning a
keystore with the old MAC will be written as such. Removing this "PBMAC1" check
would make it impossible to do this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2355942286
