On Thu, 6 Nov 2025 19:49:56 GMT, Mark Powers <[email protected]> wrote:
> [JDK-8371156](https://bugs.openjdk.org/browse/JDK-8371156) > > HmacSHA1 is the DEFAULT for PBKDF2. Therefore, it should not be DER encoded. > > > PBKDF2-params ::= SEQUENCE { > salt CHOICE { > specified OCTET STRING, > otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} > }, > iterationCount INTEGER (1..MAX), > keyLength INTEGER (1..MAX) OPTIONAL, > prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 > } test/jdk/sun/security/pkcs12/ImportPassKeyAlg.java line 96: > 94: // 003B:000E [1013] SEQUENCE > 95: // 003D:000A [10130] OID 1.2.840.113549.2.7 > (HmacSHA1) > 96: // 0047:0002 [10131] NULL Thanks for catching this. Unfortunately, the example encoding shown here is exactly for the HmacSHA1 case so it's incorrect now. You can change line 95 above to 003D:000A [10130] OID 1.2.840.113549.2.9 (HmacSHA256) Otherwise, all good. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/28182#discussion_r2528635531
