[11] RFR 8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error
Xuelei Fan
xuelei.fan at oracle.com
Wed Jul 11 16:11:55 UTC 2018
Looks fine to me.
Thanks,
Xuelei
On 7/9/2018 8:39 AM, Weijun Wang wrote:
> Please take a review at
>
> http://cr.openjdk.java.net/~weijun/8206189/webrev.00/
>
> When the password is empty, some pkcs12 implementations actually use "new char[1]" internally. Therefore PKCS12KeyStore tries both "new char[0]" and "new char[1]". Occasionally, an encrypted block can be decrypted by both. If the real password is "new char[1]" but we decrypt successfully with "new char[0]", the output will be garbage and will not be parsed correctly.
>
> This fix puts the parsing code inside the retry block to "validate" the decrypted data. If it cannot be parsed correctly, the 2nd password will be retried.
>
> No new regression test, the failed test will be used to verify the fix.
>
> Thanks
> Max
>
More information about the security-dev
mailing list