From 9866650b64aa741f12cd4eb9ae688b02393ddca8 Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Tue, 23 Dec 2025 18:27:29 +0000 Subject: [PATCH] 8371935: Enhance key generation Reviewed-by: rhalade, jnibedita, ahgross, ascarpino, weijun --- .../share/classes/com/sun/crypto/provider/PBES1Core.java | 3 ++- .../classes/com/sun/crypto/provider/PKCS12PBECipherCore.java | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java b/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java index 5e5376c652a..d614412b13b 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java @@ -47,7 +47,8 @@ final class PBES1Core { private final MessageDigest md; private final String algo; private byte[] salt = null; - private int iCount = 10; + // RFC 8018 and NIST SP 800-132 sec 5.2 recommend 1000 as the minimum + private int iCount = PKCS12PBECipherCore.DEFAULT_COUNT; // utility method for checking weak salts of PBEWithMD5AndTripleDES cipher private static boolean isWeak(byte[] s) { diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java b/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java index 7d2ba7f9831..517d7777287 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,7 +53,7 @@ final class PKCS12PBECipherCore { private int iCount = 0; private static final int DEFAULT_SALT_LENGTH = 20; - private static final int DEFAULT_COUNT = 1024; + static final int DEFAULT_COUNT = 1024; static final int CIPHER_KEY = 1; static final int CIPHER_IV = 2;