8371935: Enhance key generation

Aleksei Voitylov · RealCLanger · commit 914c69c7ca7a · 2026-04-15T22:10:49.000+02:00
Reviewed-by: andrew
Backport-of: d0c1a0707ac9f863aa1e98613032e15b2f998056
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java b/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java
@@ -47,7 +47,8 @@ final class PBES1Core {
     private final MessageDigest md;
     private final String algo;
     private byte[] salt = null;
-    private int iCount = 10;
+    // RFC 8018 and NIST SP 800-132 sec 5.2 recommend 1000 as the minimum
+    private int iCount = PKCS12PBECipherCore.DEFAULT_COUNT;
 
     /**
      * Creates an instance of PBE Cipher using the specified CipherSpi
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java b/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,7 +53,7 @@ final class PKCS12PBECipherCore {
     private int iCount = 0;
 
     private static final int DEFAULT_SALT_LENGTH = 20;
-    private static final int DEFAULT_COUNT = 1024;
+    static final int DEFAULT_COUNT = 1024;
 
     static final int CIPHER_KEY = 1;
     static final int CIPHER_IV = 2;
