Debuggability of failures in sun.security.rsa.RSASignature
Matthew Hall
mhall at mhcomputing.net
Tue Apr 9 06:57:32 UTC 2013
Yes, such as when trying to debug interoperability issues like I was. Which is basically impossible with the current code unless you put everything through the debugger.
--
Sent from my mobile device.
Bernd Eckenfels <bernd-2013 at eckenfels.net> wrote:
>Am 09.04.2013, 03:13 Uhr, schrieb Brad Wetmore
><bradford.wetmore at oracle.com>:
>> We'd need to figure out why the original author made the original
>> decision to swallow the exception.
>
>I think it could be related to the fact that there are all kinds of
>padding oracle vulnerabilities and similiar attacks possible if you are
>
>too specific to a remote sender - for some kinds of paddings at least.
>
>However that should be documented in the code/javadoc (the current
>comment
>sounds unrelated), and most likely it can be the responsibility of the
>
>user of the mothods to decide how specific to be on errors (as in many
>
>situations it would be good to actually know about padding errors).
>
>Bernd
More information about the security-dev
mailing list