[11] RFR 8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error
Weijun Wang
weijun.wang at oracle.com
Mon Jul 9 15:39:47 UTC 2018
Please take a review at
http://cr.openjdk.java.net/~weijun/8206189/webrev.00/
When the password is empty, some pkcs12 implementations actually use "new char[1]" internally. Therefore PKCS12KeyStore tries both "new char[0]" and "new char[1]". Occasionally, an encrypted block can be decrypted by both. If the real password is "new char[1]" but we decrypt successfully with "new char[0]", the output will be garbage and will not be parsed correctly.
This fix puts the parsing code inside the retry block to "validate" the decrypted data. If it cannot be parsed correctly, the 2nd password will be retried.
No new regression test, the failed test will be used to verify the fix.
Thanks
Max
More information about the security-dev
mailing list