Fix for: 6415637: PKCS#12 key stores with empty passwords

Florian Weimer fweimer at
Tue Jun 21 04:02:14 PDT 2011

* Weijun Wang:

> Thanks for looking into this.
> The following bug is for this special purpose:
>    6879539: enable empty password support for pkcs12 keystore

Oh, thanks, I totally missed that.

> and it's now still in code review mode:
> It seems our implementations are the same. At first sight, your codes
> seem to use "char{}" as default and "char{0}" as alternative. But
> then, in your updated derive() method, "char{}" goes to "byte{0,0}"
> and "char{0}" goes to "byte{}". Finally, "byte{0,0}" always becomes
> the default key for an empty password.

I used the opposite logic so that encoding with and without NUL
termination is supported, and lack of a trailing NUL results in
compliant behavior.  I'm not sure if we eventually need to support lack
of NUL termination for non-empty passwords, too.

Regarding your version, I think you should not share the ZERO value
across calls because you do not completely control which implementing
methods you call.

Do you plan to restructure the code to address the related bug 6974037?
I believe the MAC check should come first, as a matter of cryptographic

Florian Weimer                <fweimer at>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the security-dev mailing list