On Wed, 17 Sep 2025 15:35:29 GMT, Mark Powers <[email protected]> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line
>> 1489:
>>
>>> 1487: final MacData macData;
>>> 1488:
>>> 1489: if (macAlgorithm.equals("PBMAC1")) {
>>
>> The PBMAC1 algorithms are already defined in the standard algorithm names
>> spec, see
>> https://download.java.net/java/early_access/jdk25/docs/specs/security/standard-names.html#mac-algorithms
>>
>> The default value of the `keystore.pkcs12.macAlgorithm` security property in
>> the `java.security`file should be changed to "PBEWithHmacSHA256" as part of
>> this change.
>>
>> So you don't need to check if the algorithm is "PBMAC1", just use the
>> algorithm that the property is set to.
>
> Not sure if any tests will break if we make "PBEWithHmacSHA256" the default.
> I'll check.
>
> If the `keystore.pkcs12.macAlgorithm` security property is **not** changed,
> then I believe the rule is to write the keystore as it was read, meaning a
> keystore with the old MAC will be written as such. Removing this "PBMAC1"
> check would make it impossible to do this.
I found one and maybe two existing tests that will have to be modified if
"PBEWithHmacSHA256" becomes the default.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2356462159
