Fixed MAC computation in PKCS12Util.generatePFX().

The PKCS12Util.generatePFX() has been modified to use the same salt size and number of iterations as in pk12util when computing MAC data. https://pagure.io/dogtagpki/issue/2945 Change-Id: I73a4ac277e524e1b5ec7306c3940bb672a254cdb
dogtagpki · Feb 22, 2018 · 78af477 · 78af477
1 parent 4a066ac
commit 78af477
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -25,6 +25,7 @@
 import java.nio.file.Paths;
 import java.security.Principal;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.cert.CertificateException;
 import java.util.Collection;
 
@@ -64,8 +65,13 @@ public class PKCS12Util {
 
     private static Logger logger = LoggerFactory.getLogger(PKCS12Util.class);
 
+    SecureRandom random;
     boolean trustFlagsEnabled = true;
 
+    public PKCS12Util() throws Exception {
+        random = SecureRandom.getInstance("pkcs11prng", "Mozilla-JSS");
+    }
+
     public boolean isTrustFlagsEnabled() {
         return trustFlagsEnabled;
     }
@@ -357,7 +363,12 @@ public PFX generatePFX(PKCS12 pkcs12, Password password) throws Exception {
         }
 
         PFX pfx = new PFX(authSafes);
-        pfx.computeMacData(password, null, 5);
+
+        // Use the same salt size and number of iterations as in pk12util.
+
+        byte[] salt = new byte[16];
+        random.nextBytes(salt);
+        pfx.computeMacData(password, salt, 100000);
 
         return pfx;
     }