On Fri, 19 Sep 2025 02:22:55 GMT, Mark Powers <[email protected]> wrote:
>> How necessary is it to remember `macSaltLength`? Before this change, we >> always generate a new salt of 20 bytes without looking at the old one. Also, >> what about `extraSalt`, and `extraIterationCount`? Since they are useless >> for PBMAC1, why cannot we just always hardcode them in the encoding? > > Imagine reading a PBMAC1 protected keystore with a 32 byte salt. Now it's > time to write it out. You have to remember the salt length of whatever PBMAC1 > you just read in order to generate a new salt of the same length. It doesn't > seem right to always generate 20 bytes of salt. > > We could hardcode the extras, but it seems better to me to return the > original values if you're upgrading an old MAC protected keystore to a PBMAC1 > protected keystore. It's is a nice touch but the code complexity might not be > worth it. You do have a point here, but we have always been rewriting salt with a possible different length. We can discuss this in another issue, but the change is not necessary here, especially it also affects other old Mac algorithms. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2363976542
