Fix for: 6415637: PKCS#12 key stores with empty passwords
Florian Weimer
fweimer at bfk.de
Tue Jun 21 11:02:14 UTC 2011
* Weijun Wang:
> Thanks for looking into this.
>
> The following bug is for this special purpose:
>
> 6879539: enable empty password support for pkcs12 keystore
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6879539
Oh, thanks, I totally missed that.
> and it's now still in code review mode:
>
> http://cr.openjdk.java.net/~weijun/6879539/webrev.01/
> http://cr.openjdk.java.net/~weijun/6880619/webrev.00/
>
> It seems our implementations are the same. At first sight, your codes
> seem to use "char{}" as default and "char{0}" as alternative. But
> then, in your updated derive() method, "char{}" goes to "byte{0,0}"
> and "char{0}" goes to "byte{}". Finally, "byte{0,0}" always becomes
> the default key for an empty password.
I used the opposite logic so that encoding with and without NUL
termination is supported, and lack of a trailing NUL results in
compliant behavior. I'm not sure if we eventually need to support lack
of NUL termination for non-empty passwords, too.
Regarding your version, I think you should not share the ZERO value
across calls because you do not completely control which implementing
methods you call.
Do you plan to restructure the code to address the related bug 6974037?
I believe the MAC check should come first, as a matter of cryptographic
hygiene.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the security-dev
mailing list