Fix for: 6415637: PKCS#12 key stores with empty passwords
Florian Weimer
fweimer at bfk.de
Tue Jan 31 13:47:59 UTC 2012
I've ported my previous patch to fix bug 6415637 to the current jdk8-tl
forrest.
There are two related changes (quoting from the initial submission):
1. The password and salt expansion resulted in a division by zero for
empty password strings.
2. Practically speaking, there are two different ways of deriving keys
from an empty passphrase: the terminating NUL character is required
by the specification, but is left out by some implementations
(including OpenJDK if the first bug is fixed). OpenSSL tries to
decrypt with both encodings, and the patch implements that as well.
It is difficult to properly implement the retry behavior without
changing any interfaces, so this patch uses "\0" for the password
*without* a NUL terminator. This is a bit confusing, but it ensures
that passing an empty string as the password creates a PKCS#12 store
which is compliant with the specification.
Because of the division of zero issue, the second change does not
actually modify visible behavior.
To my knowledge, there is now an OCA which covers this change.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 6415637.diff
Type: text/x-diff
Size: 26875 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20120131/3641e68d/6415637.diff>
More information about the security-dev
mailing list