On Mon, 22 Sep 2025 21:29:42 GMT, Mark Powers <[email protected]> wrote:
>> No, `keystore.pkcs12.macAlgorithm` should only be used when a new keystore
>> is created. In this example, the keystore is created in the first command,
>> and the system property provided in the second command should be ignored.
>> This means `defaultMacAlgorithm` should only be called on line 1248 when
>> `macAlgorithm` is null.
>>
>> *Update*: since you've already removed `macAlgorithm.equals("PBMAC1")`,
>> `kdfHmac` can be read from `macAlgorithm` now. Same at lines 1947-1953.
>
> Then you can't read in an old keystore and write it back out as a PBMAC1
> keystore?
>
> I thought the PBE* security property value, if present, applied to all
> keystore writes.
It writes back using the original Mac algorithm.
If you really want to "upgrade" a keystore, run `keytool -importkeystore`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2370478374
