On Mon, 29 Sep 2025 20:46:47 GMT, Weijun Wang <[email protected]> wrote:
>> src/java.base/share/classes/sun/security/pkcs12/MacData.java line 260:
>>
>>> 258:
>>> 259: var skf =
>>> SecretKeyFactory.getInstance(kdfHmac.equals("HmacSHA512") ?
>>> 260: "PBKDF2WithHmacSHA512" : "PBKDF2WithHmacSHA256");
>>
>> Why not just use `"PBKDF2With" + kdfHmac`? What if `kdfHmac` is "HmacSHA384"?
>
> Also, for old algorithms, this `SecretKeyFactory` should not be used, even if
> the final result can also be used. Use the old `getPBEKey` code here.
Fixed both. Tested with HmacSHA384 using keystore generated by `openssl`
command.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2393135787
