From 78af477fa47aa91cf915b6a3bed50985a870f63b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 22 Feb 2018 21:05:26 +0100
Subject: [PATCH] Fixed MAC computation in PKCS12Util.generatePFX().

The PKCS12Util.generatePFX() has been modified to use the same
salt size and number of iterations as in pk12util when computing
MAC data.

https://pagure.io/dogtagpki/issue/2945

Change-Id: I73a4ac277e524e1b5ec7306c3940bb672a254cdb
---
 .../util/src/netscape/security/pkcs/PKCS12Util.java | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 566827b4e72..eb41008b103 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -25,6 +25,7 @@
 import java.nio.file.Paths;
 import java.security.Principal;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.cert.CertificateException;
 import java.util.Collection;
 
@@ -64,8 +65,13 @@ public class PKCS12Util {
 
     private static Logger logger = LoggerFactory.getLogger(PKCS12Util.class);
 
+    SecureRandom random;
     boolean trustFlagsEnabled = true;
 
+    public PKCS12Util() throws Exception {
+        random = SecureRandom.getInstance("pkcs11prng", "Mozilla-JSS");
+    }
+
     public boolean isTrustFlagsEnabled() {
         return trustFlagsEnabled;
     }
@@ -357,7 +363,12 @@ public PFX generatePFX(PKCS12 pkcs12, Password password) throws Exception {
         }
 
         PFX pfx = new PFX(authSafes);
-        pfx.computeMacData(password, null, 5);
+
+        // Use the same salt size and number of iterations as in pk12util.
+
+        byte[] salt = new byte[16];
+        random.nextBytes(salt);
+        pfx.computeMacData(password, salt, 100000);
 
         return pfx;
     }