Fix for: 6415637: PKCS#12 key stores with empty passwords

Weijun Wang weijun.wang at oracle.com
Thu Feb 2 04:48:25 UTC 2012


I've created a webrev for Florain at

    http://cr.openjdk.java.net/~weijun/6415637/webrev.00/

Very tiny format changes, removing trailing whitespaces, change TABs to 
spaces, and add braces for one-line block in two places.

The code change looks fine, but I would like to get a confirmation from 
someone in the JCE team.

Thanks
Max

On 01/31/2012 09:47 PM, Florian Weimer wrote:
> I've ported my previous patch to fix bug 6415637 to the current jdk8-tl
> forrest.
>
> There are two related changes (quoting from the initial submission):
>
> 1. The password and salt expansion resulted in a division by zero for
>     empty password strings.
>
> 2. Practically speaking, there are two different ways of deriving keys
>     from an empty passphrase: the terminating NUL character is required
>     by the specification, but is left out by some implementations
>     (including OpenJDK if the first bug is fixed).  OpenSSL tries to
>     decrypt with both encodings, and the patch implements that as well.
>     It is difficult to properly implement the retry behavior without
>     changing any interfaces, so this patch uses "\0" for the password
>     *without* a NUL terminator.  This is a bit confusing, but it ensures
>     that passing an empty string as the password creates a PKCS#12 store
>     which is compliant with the specification.
>
> Because of the division of zero issue, the second change does not
> actually modify visible behavior.
>
> To my knowledge, there is now an OCA which covers this change.
>



More information about the security-dev mailing list