[9] RFR 8164494: SunPKCS11-Solaris requires a non-empty PBE password
Weijun Wang
weijun.wang at oracle.com
Sat Aug 20 13:52:00 UTC 2016
I see. Good.
--Max
On 8/20/2016 19:47, Vincent Ryan wrote:
> I did consider the approach below, especially since it saves an extra call to Mac.getInstance.
> However one motivation for fixing the original issue was to better facilitate third-party JCE providers
> and I know of one provider that does support empty passwords which will never get selected if that approach is used.
>
>
>> On 20 Aug 2016, at 01:30, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>> How about
>>
>> this.prf = (passwdBytes.length == 0) ?
>> Mac.getInstance(prfAlgo, SunJCE.getInstance()) :
>> Mac.getInstance(prfAlgo);
>>
>> Mac is only implemented in SunPKCS11 and SunJCE out-of-box, so this saves an extra getInstance() call.
>>
>> If a 3rd party provider is involved, I'm not sure it supports an empty password (I have a feeling that except for Java everyone else are using the same C codes. Maybe not Microsoft), and this call is safer.
>>
>> --Max
>>
More information about the security-dev
mailing list