[9] RFR 8164494: SunPKCS11-Solaris requires a non-empty PBE password
Vincent Ryan
vincent.x.ryan at oracle.com
Sat Aug 20 11:47:37 UTC 2016
I did consider the approach below, especially since it saves an extra call to Mac.getInstance.
However one motivation for fixing the original issue was to better facilitate third-party JCE providers
and I know of one provider that does support empty passwords which will never get selected if that approach is used.
> On 20 Aug 2016, at 01:30, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> How about
>
> this.prf = (passwdBytes.length == 0) ?
> Mac.getInstance(prfAlgo, SunJCE.getInstance()) :
> Mac.getInstance(prfAlgo);
>
> Mac is only implemented in SunPKCS11 and SunJCE out-of-box, so this saves an extra getInstance() call.
>
> If a 3rd party provider is involved, I'm not sure it supports an empty password (I have a feeling that except for Java everyone else are using the same C codes. Maybe not Microsoft), and this call is safer.
>
> --Max
>
> On 8/20/2016 5:18, Valerie Peng wrote:
>> Looks fine to me.
>> Thanks,
>> Valerie
>>
>> On 8/19/2016 9:57 AM, Vincent Ryan wrote:
>>> Please review this fix to PBE key derivation function which detects
>>> when a non-empty password
>>> is supplied to the SunPKCS11-Solaris JCE provider and fails over to
>>> the SunJCE provider instead.
>>> Thanks.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8164494
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8164494/webrev.00/
>>> <http://cr.openjdk.java.net/%7Evinnie/8164494/webrev.00/>
>>>
>>
More information about the security-dev
mailing list