Code review request: 6755701 SecretKeySpec & DES
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Tue Jul 2 22:31:47 UTC 2013
Well, I don't think there is anything wrong with the
SecretKeyFactory.generateSecret API.
DESKeySpec/DESedeKeySpec do check the length of the key bytes when
constructed.
If we were to accept the SecretKeySpec object as generic key spec, then
we should add additional checkings and throw InvalidKeySpec exception
before passing the key bytes to the underlying key impl classes, i.e.
DESKey/DESedeKey.
Valerie
On 07/02/13 14:48, Anthony Scarpino wrote:
> On 07/02/2013 02:20 PM, Brad Wetmore wrote:
>> It's not common to use this style:
>>
>> 74 throw new InvalidKeySpecException
>> 75 ("Inappropriate key specification");
>>
>> but rather:
>>
>> throw new InvalidKeySpecException(
>> "Inapp...");
>
> That was preexisting code. I have no problem fixing the style, I'm
> just not taking the fall :)
>
>
>>
>> Also, what happens in the case that the size doesn't match up with what
>> DESKey's constructor needs? For example, if you provide 7 bytes, won't
>> that throw a InvalidKeyException and thus you get a null back from
>> engineGenerateSecret? The SecretKeyFactory.generateSecret() API doesn't
>> mention anything about possibly getting a null back.
>>
>> I know that's the existing behavior, but that seems fishy to me. Bug in
>> API?
>>
>
> It does seem a bit strange to not be throwing a InvalidKeyException.
> Looks like a bug in the API.
>
>> Brad
>>
>>
>>
>> On 6/28/2013 5:33 PM, Xuelei Fan wrote:
>>> Looks fine to me.
>>>
>>> Xuelei
>>>
>>> On 6/29/2013 1:40 AM, Anthony Scarpino wrote:
>>>> ping...
>>>>
>>>> On 06/13/2013 05:08 PM, Anthony Scarpino wrote:
>>>>> Hi all,
>>>>>
>>>>> I'm requesting a code review for the below bug
>>>>>
>>>>> 6755701 SunJCE DES/DESede SecretKeyFactory.generateSecret throws
>>>>> InvalidKeySpecExc if passed SecretKeySpec
>>>>>
>>>>> http://cr.openjdk.java.net/~ascarpino/6755701/webrev.00/
>>>>>
>>>>> Thanks
>>>>>
>>>>> Tony
>>>>
>>>
>
More information about the security-dev
mailing list