Upgrade the default algorithms used in PKCS 12 to use a new PBES2-based stronger Mac algorithm. The Crypto roadmap team decided to delay this change for over a year to help interoperability in JDK updates releases where older releases didn't have the new MAC algorithms that we're now using by default. Previous CSR history at JDK-8267701
PKCS12 is the default keystore format since JDK 9, but we have been using weak Mac algorithm which was the standard of 1990s.
Upgrade the algorithm used in certificate integrity protection to the value as described in the specification below.
First, make the following change in java.security.
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 0d3d3babe8..65c1f0f829 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -1217,12 +1217,12 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep # The algorithm used to calculate the optional MacData at the end of a PKCS12 # file. This can be any HmacPBE algorithm defined in the Mac section of the # Java Security Standard Algorithm Names Specification. When set to "NONE", -# no Mac is generated. The default value is "HmacPBESHA1". -#keystore.pkcs12.macAlgorithm = HmacPBESHA1 +# no Mac is generated. The default value is "HmacPBESHA256". +#keystore.pkcs12.macAlgorithm = HmacPBESHA256 # The iteration count used by the MacData algorithm. This value must be a -# positive integer. The default value is 100000. -#keystore.pkcs12.macIterationCount = 100000 +# positive integer. The default value is 10000. +#keystore.pkcs12.macIterationCount = 10000 # # Enhanced exception message information