On Wed, 24 Sep 2025 16:53:17 GMT, Weijun Wang <[email protected]> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line
>> 1493:
>>
>>> 1491: if (!(kdfHmac.equals("HmacSHA512") ||
>>> 1492: kdfHmac.equals("HmacSHA256"))) {
>>> 1493: kdfHmac = pbmac1Hmac; // use value associated
>>> with keystore
>>
>> `pbmac1Hmac` is probably null now. If you decide to reject other algorithms
>> (which I don't find necessary), error out.
>
> Why is `pbmac1Hmac` necessary? Do we want to support writing with different
> PRF and HMAC?
Writing with different PRF and HMAC **is** supported. Test vector #2 in the RFC
passes.
`pbmac1Hmac` is gone.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2388313026
