8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1)

[mcpowers]

JDK-8343232

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8370042 to be approved

Issues

• JDK-8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) (Enhancement - P2)
• JDK-8370042: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1) (CSR)

Reviewers

• Weijun Wang (@wangweij - Reviewer)
• Sean Mullan (@seanjmullan - Reviewer) Review applies to e55d79f8

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/24429/head:pull/24429
$ git checkout pull/24429

Update a local copy of the PR:
$ git checkout pull/24429
$ git pull https://git.openjdk.org/jdk.git pull/24429/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 24429

View PR using the GUI difftool:
$ git pr show -t 24429

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/24429.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back mpowers! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@mcpowers This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1)

Reviewed-by: weijun, mullan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 27 new commits pushed to the master branch:

• 8236800: 8370527: Memory leak after 8316694: Implement relocation of nmethod within CodeCache
• 16dafc0: 8370393: Cleanup handling of ancient Windows versions from GetJavaProperties java_props_md
• 2158719: 8370150: Add StrictMath microbenchmarks to cover FDLIBM algorithms
• ... and 24 more: https://git.openjdk.org/jdk/compare/a2196e20608a1acd12c84ecfb8522bf1666545f4...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@mcpowers The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[bridgekeeper]

@mcpowers This pull request has been inactive for more than 8 weeks and will be automatically closed if another 8 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[mcpowers]

/keepalive

[openjdk]

@mcpowers The pull request is being re-evaluated and the inactivity timeout has been reset.

[wangweij]

Some comments.

[wangweij]

Everything looks fine.

[seanjmullan]

unused variable.

[mcpowers]

fixed

[seanjmullan]

This method actually encodes more than the parameters. It also encodes the outer algorithm id. I guess that's ok, but I suggest adding a comment that says that.

[mcpowers]

added

[seanjmullan]

This is encoding more than the PBMAC1 parameters, it is also encoding the MacData structure. That should really be in the MacData class.

[mcpowers]

I moved it to the MacData class as you suggest. macSalt ("NOT USED") and iterations (1) also belong in MacData and have been moved.

[wangweij]

The latest encode returns two algorithm identifiers concatenated together without any frame. I suggest we follow the PBKDF2Parameters.java style you described below ("The outer algorithm ID is also encoded in addition to the parameters"), which means moving the code around tmp2 and tmp3 from MacData::encode here simply call tmp1.writeBytes(PBMAC1Parameters.encode(...)) in MacData::encode.

Or, if you prefer to encode the PBMAC1 OID outside (which follows most AlgorithmParametersSpi classes), put the concatenation inside a SEQUENCE and return it. This is similar to #24429 (comment).

[mcpowers]

I choose the latter.

[seanjmullan]

Looks good!

[wangweij]

Since there is only one raw byte array in tmp3, the following lines

DerOutputStream tmp3 = new DerOutputStream();
tmp3.writeBytes(PBMAC1Parameters.encode(macSalt, iterations, keyLength, kdfHmac, hmac));
tmp2.write(tmp3);

is equivalent to

tmp2.writeBytes(PBMAC1Parameters.encode(macSalt, iterations, keyLength, kdfHmac, hmac));

[mcpowers]

fixed

[mcpowers]

/integrate

[openjdk]

Going to push as commit 1781b18.
Since your change was applied there have been 27 commits pushed to the master branch:

• 8236800: 8370527: Memory leak after 8316694: Implement relocation of nmethod within CodeCache
• 16dafc0: 8370393: Cleanup handling of ancient Windows versions from GetJavaProperties java_props_md
• 2158719: 8370150: Add StrictMath microbenchmarks to cover FDLIBM algorithms
• ... and 24 more: https://git.openjdk.org/jdk/compare/a2196e20608a1acd12c84ecfb8522bf1666545f4...master

Your commit was automatically rebased without conflicts.

[openjdk]

@mcpowers Pushed as commit 1781b18.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.