Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8267701

Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Restoring HmacPBESHA1 minimizes compatibility concerns.
    • Interface Kind:
      Java API, System or security property

      Description

      Summary

      The PKCS12 Mac Algorithm changes discussed in CSR JDK-8228481 have raised interoperability concerns for JDK 11u/8u/7u. The HmacPBESHA256 algorithm will be newly introduced in JDK 11.0.12, JDK 8u301 and JDK 7u311.

      Problem

      As such, any application operating with PKCS12 keystores would need this new HmacPBESHA256 algorithm if using default keystore PKCS12 values. This may hinder interoperability with older JDK update releases where a PKCS12 keystore might get created on a recent JDK 11 Update but becomes unusable on an earlier JDK 11 update release.

      HmacPBESHA256 was newly introduced in JDK 12 but only became the default PKCS12 Mac algorithm in JDK 16.

      Solution

      Delay the switching of default PKCS12 Mac Algorithm to HmacPBESHA256 for 11.0.12, JDK 8u301 and JDK 7u311. Use HmacPBESHA1 instead. HmacPBESHA1 has been available in all supported JDK release families since GA of that release family. Revert back the default PKCS12 Mac iteration count from 10000 to 100000 also.

      We can revisit reverting to stronger default values in JDK 11u/8u/7u after a few update releases when the HmacPBESHA256should be more widely available as a consequence of end users updating their JDK versions.

      End users will have full control over what default PKCS12 values get used via the new keystore.pkcs12.macAlgorithm and keystore.pkcs12.macIterationCount security properties which have already been integrated into 11.0.12, JDK 8u301 and JDK 7u311 codelines.

      Specification

      revert default PKCS12 MAC algorithm: - private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA256"; + private static final String DEFAULT_MAC_ALGORITHM = "HmacPBESHA1";

      revert default PKCS12 MAC iteration count: - private static final int DEFAULT_MAC_ITERATION_COUNT = 10000; + private static final int DEFAULT_MAC_ITERATION_COUNT = 100000;

      Update the java.security file relevant comment section with same detail.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              coffeys Sean Coffey
              Reporter:
              shadowbug Shadow Bug
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: