Code review request: 6755701 SecretKeySpec & DES
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Wed Jul 3 19:13:26 UTC 2013
As I mentioned in my earlier email, I think you should add a check to
ensure that the result from theSecretKeySpec.getEncoded() has the right
length (i.e. 8 for DES, 24 for DESede) before passing them to
DESKey/DESedeKey.
Valerie
On 07/03/13 11:46, Anthony Scarpino wrote:
> I updated the webrev to reflect the simple style change you mention
> below. I'm going to proceed with the pre-push jar signing procedures
> figuring the discussion regarding InvalidKeyException is not related
> to this exact fix.
>
> http://cr.openjdk.java.net/~ascarpino/6755701/webrev.01/
>
> Tony
>
> On 07/02/2013 02:20 PM, Brad Wetmore wrote:
>> It's not common to use this style:
>>
>> 74 throw new InvalidKeySpecException
>> 75 ("Inappropriate key specification");
>>
>> but rather:
>>
>> throw new InvalidKeySpecException(
>> "Inapp...");
>>
>> Also, what happens in the case that the size doesn't match up with what
>> DESKey's constructor needs? For example, if you provide 7 bytes, won't
>> that throw a InvalidKeyException and thus you get a null back from
>> engineGenerateSecret? The SecretKeyFactory.generateSecret() API doesn't
>> mention anything about possibly getting a null back.
>>
>> I know that's the existing behavior, but that seems fishy to me. Bug in
>> API?
>>
>> Brad
>>
>>
>>
>> On 6/28/2013 5:33 PM, Xuelei Fan wrote:
>>> Looks fine to me.
>>>
>>> Xuelei
>>>
>>> On 6/29/2013 1:40 AM, Anthony Scarpino wrote:
>>>> ping...
>>>>
>>>> On 06/13/2013 05:08 PM, Anthony Scarpino wrote:
>>>>> Hi all,
>>>>>
>>>>> I'm requesting a code review for the below bug
>>>>>
>>>>> 6755701 SunJCE DES/DESede SecretKeyFactory.generateSecret throws
>>>>> InvalidKeySpecExc if passed SecretKeySpec
>>>>>
>>>>> http://cr.openjdk.java.net/~ascarpino/6755701/webrev.00/
>>>>>
>>>>> Thanks
>>>>>
>>>>> Tony
>>>>
>>>
>
More information about the security-dev
mailing list