[11] RFR 8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error

Xuelei Fan xuelei.fan at oracle.com
Wed Jul 11 16:11:55 UTC 2018


Looks fine to me.

Thanks,
Xuelei

On 7/9/2018 8:39 AM, Weijun Wang wrote:
> Please take a review at
> 
>     http://cr.openjdk.java.net/~weijun/8206189/webrev.00/
> 
> When the password is empty, some pkcs12 implementations actually use "new char[1]" internally. Therefore PKCS12KeyStore tries both "new char[0]" and "new char[1]". Occasionally, an encrypted block can be decrypted by both. If the real password is "new char[1]" but we decrypt successfully with "new char[0]", the output will be garbage and will not be parsed correctly.
> 
> This fix puts the parsing code inside the retry block to "validate" the decrypted data. If it cannot be parsed correctly, the 2nd password will be retried.
> 
> No new regression test, the failed test will be used to verify the fix.
> 
> Thanks
> Max
> 


More information about the security-dev mailing list