On Thu, 18 Sep 2025 17:44:07 GMT, Mark Powers <[email protected]> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line
>> 1490:
>>
>>> 1488:
>>> 1489: if (macAlgorithm.equals("PBMAC1") ||
>>> 1490: defaultMacAlgorithm().startsWith("PBEWith")) {
>>
>> `calculateMac` is called when keystore is read from an existing file and
>> `defaultMacAlgorithm` should not be used. Otherwise, algorithm will be
>> modified. Try these:
>>
>> keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias a
>> -dname CN=a -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA512
>> keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias b
>> -dname CN=b -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256
>
> If the keystore.pkcs12.macAlgorithm security property starts with PBE then
> shouldn't an old MAC protected keystore be written with PBMAC1 protection?
>
> I tried those two commands and they work as expected. I did fix a few
> problems in the last two days so maybe I need to push those changes.
No, `keystore.pkcs12.macAlgorithm` should only be used when a new keystore is
created. In this example, the keystore is created in the first command, and the
system property provided in the second command should be ignored. This means
`defaultMacAlgorithm` should only be called on line 1248 when `macAlgorithm` is
null.
*Update*: since you've already removed `macAlgorithm.equals("PBMAC1")`,
`kdfHmac` can be read from `macAlgorithm` now. Same at lines 1947-1953.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2370251718
