On Mon, 22 Sep 2025 20:39:22 GMT, Weijun Wang <[email protected]> wrote:
>> If the keystore.pkcs12.macAlgorithm security property starts with PBE then
>> shouldn't an old MAC protected keystore be written with PBMAC1 protection?
>>
>> I tried those two commands and they work as expected. I did fix a few
>> problems in the last two days so maybe I need to push those changes.
>
> No, `keystore.pkcs12.macAlgorithm` should only be used when a new keystore is
> created. In this example, the keystore is created in the first command, and
> the system property provided in the second command should be ignored. This
> means `defaultMacAlgorithm` should only be called on line 1248 when
> `macAlgorithm` is null.
>
> *Update*: since you've already removed `macAlgorithm.equals("PBMAC1")`,
> `kdfHmac` can be read from `macAlgorithm` now. Same at lines 1947-1953.
Then you can't read in an old keystore and write it back out as a PBMAC1
keystore?
I thought the PBE* security property value, if present, applied to all keystore
writes.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2370348348
