Debuggability of failures in sun.security.rsa.RSASignature

Bernd Eckenfels bernd-2013 at eckenfels.net
Mon Apr 8 20:49:38 PDT 2013


Am 09.04.2013, 03:13 Uhr, schrieb Brad Wetmore  
<bradford.wetmore at oracle.com>:
> We'd need to figure out why the original author made the original  
> decision to swallow the exception.

I think it could be related to the fact that there are all kinds of  
padding oracle vulnerabilities and similiar attacks possible if you are  
too specific to a remote sender - for some kinds of paddings at least.

However that should be documented in the code/javadoc (the current comment  
sounds unrelated), and most likely it can be the responsibility of the  
user of the mothods to decide how specific to be on errors (as in many  
situations it would be good to actually know about padding errors).

Bernd
-- 
http://bernd.eckenfels.net


More information about the security-dev mailing list