JDK-8288297 : Release Note: Upgrade the Default PKCS12 MAC Algorithm
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u361,8u351,11.0.17-oracle
  • Priority: P3
  • Status: Resolved
  • Resolution: Delivered
  • Submitted: 2022-06-13
  • Updated: 2022-09-16
  • Resolved: 2022-07-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 7 JDK 8
11.0.17-oracleResolved 7u361Resolved 8u351Resolved
Description
The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with `keystore.pkcs12` in the `java.security` file for detailed information.

The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.

For compatibility, use the `keystore.pkcs12.legacy` system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
Comments
Change title to title case, assigned a fix version to the main task, added backports for the remaining affected versions.
16-09-2022