[11] RFR 8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error

Xuelei Fan xuelei.fan at oracle.com
Wed Jul 11 16:11:55 UTC 2018

Looks fine to me.


On 7/9/2018 8:39 AM, Weijun Wang wrote:
> Please take a review at
>     http://cr.openjdk.java.net/~weijun/8206189/webrev.00/
> When the password is empty, some pkcs12 implementations actually use "new char[1]" internally. Therefore PKCS12KeyStore tries both "new char[0]" and "new char[1]". Occasionally, an encrypted block can be decrypted by both. If the real password is "new char[1]" but we decrypt successfully with "new char[0]", the output will be garbage and will not be parsed correctly.
> This fix puts the parsing code inside the retry block to "validate" the decrypted data. If it cannot be parsed correctly, the 2nd password will be retried.
> No new regression test, the failed test will be used to verify the fix.
> Thanks
> Max

More information about the security-dev mailing list