diff --git a/src/java.base/share/classes/sun/security/util/PBKDF2Parameters.java b/src/java.base/share/classes/sun/security/util/PBKDF2Parameters.java index 07d4c70fecb..ba6636d7922 100644 --- a/src/java.base/share/classes/sun/security/util/PBKDF2Parameters.java +++ b/src/java.base/share/classes/sun/security/util/PBKDF2Parameters.java @@ -27,7 +27,6 @@ package sun.security.util; import java.io.IOException; -import sun.security.util.KnownOIDs; import sun.security.x509.AlgorithmId; /** @@ -164,7 +163,10 @@ public final class PBKDF2Parameters { tmp0.putInteger(keyLength); // prf AlgorithmIdentifier {{PBKDF2-PRFs}} - tmp0.write(new AlgorithmId(prf)); + // HmacSHA1 is the default and must not be encoded. + if (!prf.equals(ObjectIdentifier.of(KnownOIDs.HmacSHA1))) { + tmp0.write(new AlgorithmId(prf)); + } // id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} out.putOID(ObjectIdentifier.of(KnownOIDs.PBKDF2)); diff --git a/test/jdk/sun/security/pkcs12/ImportPassKeyAlg.java b/test/jdk/sun/security/pkcs12/ImportPassKeyAlg.java index ba98c3ce2de..bf767a6344d 100644 --- a/test/jdk/sun/security/pkcs12/ImportPassKeyAlg.java +++ b/test/jdk/sun/security/pkcs12/ImportPassKeyAlg.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2022, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 8286069 + * @bug 8286069 8371156 * @summary keytool prints out wrong key algorithm for -importpass command * @library /test/lib * @modules java.base/sun.security.util @@ -92,7 +92,7 @@ public class ImportPassKeyAlg { // 0034:0004 [1011] INTEGER 10000 // 0038:0003 [1012] INTEGER 16 // 003B:000E [1013] SEQUENCE - // 003D:000A [10130] OID 1.2.840.113549.2.7 (HmacSHA1) + // 003D:000A [10130] OID 1.2.840.113549.2.9 (HmacSHA256) // 0047:0002 [10131] NULL // 0049:001F [11] SEQUENCE // 004B:000B [110] OID 2.16.840.1.101.3.4.1.2 (AES_128/CBC/NoPadding) @@ -100,7 +100,11 @@ public class ImportPassKeyAlg { var data = Files.readAllBytes(Path.of(name)); DerUtils.checkAlg(data, "110c010c01010c00", oids[0]); if (oids[0] == KnownOIDs.PBES2) { - DerUtils.checkAlg(data, "110c010c01010c010130", oids[1]); + if (oids[1] == KnownOIDs.HmacSHA1) { + DerUtils.shouldNotExist(data, "110c010c01010c010130"); + } else { + DerUtils.checkAlg(data, "110c010c01010c010130", oids[1]); + } DerUtils.checkAlg(data, "110c010c01010c0110", oids[2]); } } diff --git a/test/jdk/sun/security/pkcs12/PBMAC1Test.java b/test/jdk/sun/security/pkcs12/PBMAC1Test.java index acb0f73a2d2..4e89322bc0a 100644 --- a/test/jdk/sun/security/pkcs12/PBMAC1Test.java +++ b/test/jdk/sun/security/pkcs12/PBMAC1Test.java @@ -116,6 +116,16 @@ public class PBMAC1Test { var reason = Asserts.assertThrows(NoSuchAlgorithmException.class, () -> emptyP12()).getMessage(); Asserts.assertTrue(reason.contains("Algorithm hmacsha456 not available"), reason); + + // Verify that DEFAULT HmacSHA1 prf does not get encoded. + System.setProperty("keystore.pkcs12.macAlgorithm", "PBEWITHHMACSHA1"); + der = emptyP12(); + DerUtils.checkAlg(der, "2000", KnownOIDs.PBMAC1); + DerUtils.checkAlg(der, "200100", KnownOIDs.PBKDF2); + DerUtils.shouldNotExist(der, "20010130"); + DerUtils.checkAlg(der, "200110", KnownOIDs.HmacSHA1); + DerUtils.checkInt(der, "2001011", 10000); + DerUtils.checkInt(der, "2001012", 20); } static void migrate() throws Exception {