Fix for: 6415637: PKCS#12 key stores with empty passwords
Vincent Ryan
vincent.x.ryan at oracle.com
Thu Feb 2 12:05:57 UTC 2012
That fix looks fine.
On 02/ 2/12 04:48 AM, Weijun Wang wrote:
> I've created a webrev for Florain at
>
> http://cr.openjdk.java.net/~weijun/6415637/webrev.00/
>
> Very tiny format changes, removing trailing whitespaces, change TABs to spaces,
> and add braces for one-line block in two places.
>
> The code change looks fine, but I would like to get a confirmation from someone
> in the JCE team.
>
> Thanks
> Max
>
> On 01/31/2012 09:47 PM, Florian Weimer wrote:
>> I've ported my previous patch to fix bug 6415637 to the current jdk8-tl
>> forrest.
>>
>> There are two related changes (quoting from the initial submission):
>>
>> 1. The password and salt expansion resulted in a division by zero for
>> empty password strings.
>>
>> 2. Practically speaking, there are two different ways of deriving keys
>> from an empty passphrase: the terminating NUL character is required
>> by the specification, but is left out by some implementations
>> (including OpenJDK if the first bug is fixed). OpenSSL tries to
>> decrypt with both encodings, and the patch implements that as well.
>> It is difficult to properly implement the retry behavior without
>> changing any interfaces, so this patch uses "\0" for the password
>> *without* a NUL terminator. This is a bit confusing, but it ensures
>> that passing an empty string as the password creates a PKCS#12 store
>> which is compliant with the specification.
>>
>> Because of the division of zero issue, the second change does not
>> actually modify visible behavior.
>>
>> To my knowledge, there is now an OCA which covers this change.
>>
More information about the security-dev
mailing list