Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
8267880: Upgrade the default PKCS12 MAC algorithm 
Reviewed-by: mbaesken
  • Loading branch information
@GoeLin
GoeLin committed Aug 2, 2022
1 parent e80c7e1 commit 9cf9879
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 23 deletions.
4 changes: 2 additions & 2 deletions src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
View file
Expand Up @@ -101,10 +101,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
= "PBEWithHmacSHA256AndAES_256";
private static final String DEFAULT_KEY_PBE_ALGORITHM
= "PBEWithHmacSHA256AndAES_256";
private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA1";
private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256";
private static final int DEFAULT_CERT_PBE_ITERATION_COUNT = 10000;
private static final int DEFAULT_KEY_PBE_ITERATION_COUNT = 10000;
private static final int DEFAULT_MAC_ITERATION_COUNT = 100000;
private static final int DEFAULT_MAC_ITERATION_COUNT = 10000;

// Legacy settings. Used when "keystore.pkcs12.legacy" is set.
private static final String LEGACY_CERT_PBE_ALGORITHM
Expand Down
8 changes: 4 additions & 4 deletions src/java.base/share/conf/security/java.security
View file
Expand Up @@ -1213,12 +1213,12 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep
# The algorithm used to calculate the optional MacData at the end of a PKCS12
# file. This can be any HmacPBE algorithm defined in the Mac section of the
# Java Security Standard Algorithm Names Specification. When set to "NONE",
# no Mac is generated. The default value is "HmacPBESHA1".
#keystore.pkcs12.macAlgorithm = HmacPBESHA1
# no Mac is generated. The default value is "HmacPBESHA256".
#keystore.pkcs12.macAlgorithm = HmacPBESHA256

# The iteration count used by the MacData algorithm. This value must be a
# positive integer. The default value is 100000.
#keystore.pkcs12.macIterationCount = 100000
# positive integer. The default value is 10000.
#keystore.pkcs12.macIterationCount = 10000

#
# Enhanced exception message information
Expand Down
18 changes: 9 additions & 9 deletions test/jdk/sun/security/pkcs12/KeytoolOpensslInteropTest.java
View file
Expand Up @@ -169,8 +169,8 @@ private static void testWithJavaCommands() throws Throwable {
keytool("-importkeystore -srckeystore ks -srcstorepass changeit "
+ "-destkeystore ksnormal -deststorepass changeit");
data = Files.readAllBytes(Path.of("ksnormal"));
checkInt(data, "22", 100000); // Mac ic
checkAlg(data, "2000", SHA_1); // Mac alg
checkInt(data, "22", 10000); // Mac ic
checkAlg(data, "2000", SHA_256); // Mac alg
checkAlg(data, "110c010c01000", PBES2); // key alg
checkInt(data, "110c010c01001011", 10000); // key ic
checkAlg(data, "110c110110", PBES2); // cert alg
Expand All @@ -195,8 +195,8 @@ private static void testWithJavaCommands() throws Throwable {
+ "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "
+ "-J-Dkeystore.pkcs12.macAlgorithm=NONE");
data = Files.readAllBytes(Path.of("ksnormal"));
checkInt(data, "22", 100000); // Mac ic
checkAlg(data, "2000", SHA_1); // Mac alg
checkInt(data, "22", 10000); // Mac ic
checkAlg(data, "2000", SHA_256); // Mac alg
checkAlg(data, "110c010c01000", PBES2); // key alg
checkInt(data, "110c010c01001011", 10000); // key ic
checkAlg(data, "110c010c11000", PBES2); // new key alg
Expand Down Expand Up @@ -240,7 +240,7 @@ private static void testWithJavaCommands() throws Throwable {
+ "-J-Dkeystore.pkcs12.keyPbeIterationCount=7777");
data = Files.readAllBytes(Path.of("ksnewic"));
checkInt(data, "22", 5555); // Mac ic
checkAlg(data, "2000", SHA_1); // Mac alg
checkAlg(data, "2000", SHA_256); // Mac alg
checkAlg(data, "110c010c01000", PBES2); // key alg
checkInt(data, "110c010c01001011", 7777); // key ic
checkAlg(data, "110c110110", PBES2); // cert alg
Expand All @@ -257,7 +257,7 @@ private static void testWithJavaCommands() throws Throwable {
+ "-J-Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndRC4_128");
data = Files.readAllBytes(Path.of("ksnewic"));
checkInt(data, "22", 5555); // Mac ic
checkAlg(data, "2000", SHA_1); // Mac alg
checkAlg(data, "2000", SHA_256); // Mac alg
checkAlg(data, "110c010c01000", PBES2); // key alg
checkInt(data, "110c010c01001011", 7777); // key ic
checkAlg(data, "110c010c11000", PBEWithSHA1AndRC4_128); // new key alg
Expand All @@ -273,8 +273,8 @@ private static void testWithJavaCommands() throws Throwable {
ks.store(fos, "changeit".toCharArray());
}
data = Files.readAllBytes(Path.of("ksnormaldup"));
checkInt(data, "22", 100000); // Mac ic
checkAlg(data, "2000", SHA_1); // Mac alg
checkInt(data, "22", 10000); // Mac ic
checkAlg(data, "2000", SHA_256); // Mac alg
checkAlg(data, "110c010c01000", PBES2); // key alg
checkInt(data, "110c010c01001011", 10000); // key ic
checkAlg(data, "110c010c11000", PBES2); // new key alg
Expand Down Expand Up @@ -303,7 +303,7 @@ private static void testWithJavaCommands() throws Throwable {
}
data = Files.readAllBytes(Path.of("ksnewicdup"));
checkInt(data, "22", 5555); // Mac ic
checkAlg(data, "2000", SHA_1); // Mac alg
checkAlg(data, "2000", SHA_256); // Mac alg
checkAlg(data, "110c010c01000", PBES2); // key alg
checkInt(data, "110c010c01001011", 7777); // key ic
checkAlg(data, "110c010c11000", PBEWithSHA1AndRC4_128); // new key alg
Expand Down
16 changes: 8 additions & 8 deletions test/jdk/sun/security/pkcs12/ParamsPreferences.java
View file
Expand Up @@ -57,7 +57,7 @@ public static final void main(String[] args) throws Exception {
Map.of(),
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
SHA_1, 100000);
SHA_256, 10000);

// legacy settings
test(c++,
Expand Down Expand Up @@ -107,7 +107,7 @@ public static final void main(String[] args) throws Exception {
"keystore.pkcs12.macAlgorithm", "NONE"),
PBEWithSHA1AndDESede, 10000,
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
SHA_256, 100000);
SHA_256, 10000);

// back to with storepass by using "" to force hardcoded default
test(c++,
Expand All @@ -119,7 +119,7 @@ public static final void main(String[] args) throws Exception {
"keystore.pkcs12.macAlgorithm", "NONE"),
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
SHA_1, 100000);
SHA_256, 10000);

// change everything with system property
test(c++,
Expand Down Expand Up @@ -173,29 +173,29 @@ public static final void main(String[] args) throws Exception {
Map.of("keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128"),
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
PBEWithSHA1AndRC2_128, 10000,
SHA_1, 100000);
SHA_256, 10000);
test(c++,
Map.of(),
Map.of("keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128",
"keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40"),
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
PBEWithSHA1AndRC2_40, 10000,
SHA_1, 100000);
SHA_256, 10000);
test(c++,
Map.of("keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_128"),
Map.of("keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128",
"keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40"),
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
PBEWithSHA1AndRC4_128, 10000,
SHA_1, 100000);
SHA_256, 10000);
test(c++,
Map.of("keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_128",
"keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC4_40"),
Map.of("keystore.PKCS12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_128",
"keystore.pkcs12.keyProtectionAlgorithm", "PBEWithSHA1AndRC2_40"),
PBES2, HmacSHA256, AES_256$CBC$NoPadding, 10000,
PBEWithSHA1AndRC4_40, 10000,
SHA_1, 100000);
SHA_256, 10000);

// 8266293
test(c++,
Expand All @@ -204,7 +204,7 @@ public static final void main(String[] args) throws Exception {
Map.of(),
PBEWithMD5AndDES, 10000,
PBEWithMD5AndDES, 10000,
SHA_1, 100000);
SHA_256, 10000);
}

/**
Expand Down

1 comment on commit 9cf9879

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

Please sign in to comment.