On Wed, 17 Sep 2025 14:19:20 GMT, Weijun Wang <[email protected]> wrote:
>> Mark Powers has updated the pull request incrementally with one additional >> commit since the last revision: >> >> a few more comments > > src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 180: > >> 178: private int macSaltLength = -1; >> 179: private byte[] extraSalt = null; >> 180: private int extraIterationCount = -1; > > I don't think it's necessary to break the user-provided mac algorithm like > "PBEWithHmacSHA256" into `macAlgorithm == "PBMAC1"` and `pbmac1Hmac == > "HmacSHA256"`. Keep a single one no matter what kind of mac algorithm it is. How necessary is it to remember `macSaltLength`? Before this change, we always generate a new salt of 20 bytes without looking at the old one. Also, what about `extraSalt`, and `extraIterationCount`? Since they are useless for PBMAC1, why cannot we just always hardcode them in the encoding? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2355744083
