[11] RFR 8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error

Weijun Wang weijun.wang at oracle.com
Mon Jul 9 15:39:47 UTC 2018

Please take a review at


When the password is empty, some pkcs12 implementations actually use "new char[1]" internally. Therefore PKCS12KeyStore tries both "new char[0]" and "new char[1]". Occasionally, an encrypted block can be decrypted by both. If the real password is "new char[1]" but we decrypt successfully with "new char[0]", the output will be garbage and will not be parsed correctly.

This fix puts the parsing code inside the retry block to "validate" the decrypted data. If it cannot be parsed correctly, the 2nd password will be retried.

No new regression test, the failed test will be used to verify the fix.


More information about the security-dev mailing list