8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

[wangweij]

PKCS12KeyStore always uses a 20-byte salt in encryption but PBEWithMD5AndDES only accepts 8-byte salt. With this code change, the salt used for this algorithm will be 8 bytes.

RFC 2898 only requires the salt to be at least 8 bytes, but I don't intend to modify the PBES1Core.java to accept a long salt. Otherwise, a newly generated PKCS #⁠12 file using a long salt will not be recognized by an old JDK.

Also, although PBES1Core.java also take cares of another algorithm named PBEWithMD5AndDESede but it's not usable in a PKCS #⁠12 keystore as we have not defined its Object Identifier anywhere.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

Reviewers

• Valerie Peng (@valeriepeng - Reviewer) ⚠️ Review applies to 6726d0b

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/3822/head:pull/3822
$ git checkout pull/3822

Update a local copy of the PR:
$ git checkout pull/3822
$ git pull https://git.openjdk.java.net/jdk pull/3822/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3822

View PR using the GUI difftool:
$ git pr show -t 3822

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/3822.diff

[bridgekeeper]

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@wangweij The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (df1ab373)
• 00: Full (6726d0be)

[valeriepeng]

I will take a look. Thanks.

[valeriepeng]

nit: maybe use "PBES1 scheme such as PBEWithMD5AndDES requires a 8-byte salt"

[wangweij]

Sure. Updated.

[valeriepeng]

Changes look good.

[openjdk]

@wangweij This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

Reviewed-by: valeriep

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 98 new commits pushed to the master branch:

• a90b33a: 8266573: Make sure blackholes are tagged for all JVMCI paths
• 2dcbedf: 8266044: Nested class summary should show kind of class or interface
• e840597: 8266460: java.io tests fail on null stream with upgraded jtreg/TestNG
• fcedfc8: 8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java
• c665dba: 8266561: Remove Compile::_save_argument_registers
• 47d4438: 8266426: ZHeapIteratorOopClosure does not handle native access properly
• 2438498: 8252758: Lanai: Optimize index calculation while copying glyphs
• eb3b96d: 8266496: WBIsKlassAliveClosure.do_klass() fails for hidden classes
• 51f5adf: 8265047: Inconsistent warning message in jcmd VM.log
• ea30bd6: 8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify
• ... and 88 more: https://git.openjdk.java.net/jdk/compare/49d04586ed27fc905083d60aa68793d84824c7f3...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[wangweij]

/integrate

[openjdk]

@wangweij Since your change was applied there have been 98 commits pushed to the master branch:

• a90b33a: 8266573: Make sure blackholes are tagged for all JVMCI paths
• 2dcbedf: 8266044: Nested class summary should show kind of class or interface
• e840597: 8266460: java.io tests fail on null stream with upgraded jtreg/TestNG
• fcedfc8: 8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java
• c665dba: 8266561: Remove Compile::_save_argument_registers
• 47d4438: 8266426: ZHeapIteratorOopClosure does not handle native access properly
• 2438498: 8252758: Lanai: Optimize index calculation while copying glyphs
• eb3b96d: 8266496: WBIsKlassAliveClosure.do_klass() fails for hidden classes
• 51f5adf: 8265047: Inconsistent warning message in jcmd VM.log
• ea30bd6: 8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify
• ... and 88 more: https://git.openjdk.java.net/jdk/compare/49d04586ed27fc905083d60aa68793d84824c7f3...master

Your commit was automatically rebased without conflicts.

Pushed as commit 04f7112.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.