On Wed, 17 Sep 2025 14:37:45 GMT, Weijun Wang <[email protected]> wrote:
>> Mark Powers has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> a few more comments
>
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1490:
>
>> 1488:
>> 1489: if (macAlgorithm.equals("PBMAC1") ||
>> 1490: defaultMacAlgorithm().startsWith("PBEWith")) {
>
> `calculateMac` is called when keystore is read from an existing file and
> `defaultMacAlgorithm` should not be used. Otherwise, algorithm will be
> modified. Try these:
>
> keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias a
> -dname CN=a -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA512
> keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias b
> -dname CN=b -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256
If the keystore.pkcs12.macAlgorithm security property starts with PBE then
shouldn't an old MAC protected keystore be written with PBMAC1 protection?
I tried those two commands and they work as expected. I did fix a few problems
in the last two days so maybe I need to push those changes.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2360491815
