RFR[12] JDK-8214096: sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
Sean Mullan
sean.mullan at oracle.com
Tue Dec 18 13:14:49 UTC 2018
On 12/17/18 10:14 PM, Weijun Wang wrote:
> Hi Valerie,
>
> Please put lines 87 and 100 into the if-not-null block. Otherwise fine.
>
> Do you think we can enhance the Signature::setParameter method and claim a null parameter is not meaningful at all and should not have any effect on the internal state of the signature object? Otherwise an application really has no idea whether to call it.
That would be a specification change, so it can't be as part of this
fix, since it is past RDP. It is also has a somewhat high compatibility
risk, since it would require existing 3rd-party providers (such as
BouncyCastle) that throw NPE to change their implementation.
It is unfortunate that the behavior of a null parameter was never
clearly defined.
--Sean
>
> Thanks,
> Max
>
>> On Dec 18, 2018, at 8:41 AM, Valerie Peng <valerie.peng at oracle.com> wrote:
>>
>> Any one has time to review this straightforward fix? Details on cause and fix is elaborated in the link below:
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8214096
>>
>> Webrev can be found at http://cr.openjdk.java.net/~valeriep/8214096/webrev.00/
>>
>> Regards,
>> Valerie
>>
>>
>
More information about the security-dev
mailing list