RFR 8218723: SecretKeyFactory.getInstance( algo_, provider_ ) ignores the provider argument.
Jamil Nimeh
jamil.j.nimeh at oracle.com
Thu Mar 14 15:18:12 UTC 2019
Hi Adam, thanks for taking a look at this. Comments are in-line:
On 3/14/19 7:53 AM, Adam Petcher wrote:
> The change to PBKDF2KeyImpl.java looks fine. About the test:
>
> *) Is it necessary to put the provider in a separate jar? It seems
> unnecessary because you are adding it with Security.insertProviderAt.
JN: I'm honestly not sure. I thought if I wanted this test to run on
both Open and Oracle JDK I thought I'd need the provider to be signed
(which the jar file is). I can try bringing the provider code into the
test body itself. If it runs fine on Oracle JDK then it would be way
better to do that and get rid of the makefile and all the attendant
source for rebuilding the provider jar.
>
> *) Line 54 of the test compares the result of a constructor to null.
> Unless I'm missing something, this reference will always be non-null.
JN: That was left over from an early rev of the test where I was doing
Security.getProvider(String) where it can return null. I'll take that out.
>
> *) At the end of the test, there are some methods that do conversion
> between hex strings and bytes. Can you use the methods in Convert (in
> the test list) instead? I think Convert.hexStringToByteArray is the
> same thing as hex2bin. You may also want to move dumpHexBytes to
> Convert, but it's fine either way.
JN: I had meant to fix that before I sent it to review, I'm in the
process of making that change now.
>
> *) It looks the evilprovider source files have the wrong copyright
> header.
JN: Easily fixed.
>
> *) There is a commented out line of code on line 16 of EvilProvider.java
JN: Good as gone.
>
> On 3/14/2019 9:34 AM, Jamil Nimeh wrote:
>> Hello all,
>>
>> This review will change the SunJCE implementation of PBKDF2 so that
>> it always uses the SunJCE version of the PRF algorithm internally.
>>
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8218723/webrev.01/
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8218723
>>
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8220531
>>
More information about the security-dev
mailing list