JDK-8267599 : Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u311,8u301,11.0.12
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2021-05-24
  • Updated: 2022-09-14
  • Resolved: 2021-05-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 7 JDK 8
11.0.12-oracleFixed 7u311Fixed 8u301Fixed
Related Reports
CSR :  
JDK-8267701 - Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
Relates :  
JDK-8153005 - Upgrade the default PKCS12 encryption/MAC algorithms
Relates :  
JDK-8267837 - JDK 7u/8u PKCS12KeyStore.parseAlgParameters exception
Description
pkcs12 keystores created using JDK 11.0.12 or later can't be read by earlier JDK 11 versions.

Calling keyStore.load() on file: file:trust.jks, type: PKCS12, password:password
Exception in thread "main" java.io.IOException: Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2167)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
        at java.base/java.security.KeyStore.load(KeyStore.java:1479)
        at LoadKeyStore.main(LoadKeyStore.java:33)
Caused by: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
        at java.base/javax.crypto.Mac.getInstance(Mac.java:191)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2145)
        ... 3 more
Comments
Fix Request (11u) JDK-8153005 was already backported to OpenJDK 11.0.12, too. Reverting macAlgorithm and macIterationCount requires a test adaptation. Review thread: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-May/006387.html
28-05-2021
extract from CSR: == End users will have full control over what default PKCS12 values get used via the new keystore.pkcs12.macAlgorithm and keystore.pkcs12.macIterationCount security properties which have already been integrated into 11.0.12, JDK 8u301 and JDK 7u311 codelines. == If end user chooses to use HmacPBESHA256 algorithm (by editing properties in java.security), then they should be aware that JDK 11.0.12, JDK 8u301 or JDK 7u311 (or newer) is required to open/read such a keystore
26-05-2021
HmacPBESHA256 is a new algorithm introduced in JDK 11.0.12 via JDK-8153005 work. We should consider winding back the default algorithm for medium term in a bid to help interoperability.
24-05-2021