Fix for: 6415637: PKCS#12 key stores with empty passwords
Weijun Wang
weijun.wang at oracle.com
Thu Feb 2 04:48:25 UTC 2012
I've created a webrev for Florain at
http://cr.openjdk.java.net/~weijun/6415637/webrev.00/
Very tiny format changes, removing trailing whitespaces, change TABs to
spaces, and add braces for one-line block in two places.
The code change looks fine, but I would like to get a confirmation from
someone in the JCE team.
Thanks
Max
On 01/31/2012 09:47 PM, Florian Weimer wrote:
> I've ported my previous patch to fix bug 6415637 to the current jdk8-tl
> forrest.
>
> There are two related changes (quoting from the initial submission):
>
> 1. The password and salt expansion resulted in a division by zero for
> empty password strings.
>
> 2. Practically speaking, there are two different ways of deriving keys
> from an empty passphrase: the terminating NUL character is required
> by the specification, but is left out by some implementations
> (including OpenJDK if the first bug is fixed). OpenSSL tries to
> decrypt with both encodings, and the patch implements that as well.
> It is difficult to properly implement the retry behavior without
> changing any interfaces, so this patch uses "\0" for the password
> *without* a NUL terminator. This is a bit confusing, but it ensures
> that passing an empty string as the password creates a PKCS#12 store
> which is compliant with the specification.
>
> Because of the division of zero issue, the second change does not
> actually modify visible behavior.
>
> To my knowledge, there is now an OCA which covers this change.
>
More information about the security-dev
mailing list