On Fri, 10 Oct 2025 02:27:30 GMT, Weijun Wang <[email protected]> wrote:
>> Koushik Muthukrishnan Thirupattur has updated the pull request incrementally >> with two additional commits since the last revision: >> >> - 8367008: Algorithm identifiers for HmacSHA* should always have NULL as >> params >> - 8367008: Algorithm identifiers for HmacSHA* should always have NULL as >> params > > src/java.base/share/classes/sun/security/x509/AlgorithmId.java line 690: > >> 688: ObjectIdentifier.of(KnownOIDs.HmacSHA256), >> 689: ObjectIdentifier.of(KnownOIDs.HmacSHA384), >> 690: ObjectIdentifier.of(KnownOIDs.HmacSHA512) > > The "HMAC algorithm identifiers" section of > https://www.rfc-editor.org/rfc/rfc9879.html#name-asn1-module also includes > algid-hmacWithSHA512-224 and algid-hmacWithSHA512-256. > > Also, I have always been wondering how SHA3 Hmac `AlgorithmId` are encoded. > https://datatracker.ietf.org/doc/html/rfc9688#name-signature-algorithms says > "the parameters field MUST be absent". Although I'm not sure if this is only > in CMS, but I think it's worth adding a reference here explaining why those > OIDs are not included. Thank you for catching that. I’ve added the missing HMAC OIDs HmacSHA512_224 and HmacSHA512_256 as specified in [RFC 9879 §4](https://www.rfc-editor.org/rfc/rfc9879.html#name-asn1-module) Regarding SHA3-based HMACs, I have added a comment in the code as per your suggestion. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27700#discussion_r2422005098
