On Sun, 21 Sep 2025 20:58:05 GMT, Mark Powers <[email protected]> wrote:
>> You do have a point here, but we have always been rewriting salt with a >> possible different length. We can discuss this in another issue, but the >> change is not necessary here, especially it also affects other old Mac >> algorithms. > > Are you suggesting to always generate a 20 byte salt? > > Can you provide a line number for your first comment about breaking up > "PBEWithHmacSHA256"? > This string is read from the property file and has nothing to do with any DER > encoded values read from the keystore input stream. Yes, I think always generating a 20 byte salt is not a problem. For the name break up, I see that `macAlgorithm` can sometimes be `defaultMacAlgorithm()` which is the full "PBEWithHmacSHA256" (line 1250) and sometimes being "PBMAC1" only (line 2203) with `pbmac1Hmac` serving as the additional info. I suggest always using the full name. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2368385738
