RFR 8076999: SunJCE support of password-based encryption scheme 2 params (PBES2) not working
Jamil Nimeh
jamil.j.nimeh at oracle.com
Fri May 24 22:51:08 UTC 2019
Hello all, happy Friday!
Please review the following CSR and code review. This makes updates to
the SunJCE implementation of PBES2-based AlgorithmParameters. Many of
the details are in the CSR (see the link below). But a short list of
the updates:
* Add DER Encode/Decode support for the following OIDS from RFC 8018:
o PRFs: HmacSHA512/224, HmacSHA512/256
o Encryption Schemes: AES-192-CBC, DES, Triple-DES, RC2, RC5
* Enforce init-time type consistency between AlgorithmParameterSpec
objects and the algorithms they are used with (i.e. No using
RC5ParameterSpec with AES-128-CBC.
* Enforce sanity checks on AlgorithmParameterSpec objects used to init
(e.g. IV length checks, integer range checks, etc.)
* Fixed a bug where explicit DER decoding of the optional key length
field in PBKDF2-params would cause the PRF to be forced to HmacSHA1
even if the DER indicated otherwise
* Allow incoming DER encoded AlgorithmIdentifier structures to honor
the OPTIONAL qualifier on the parameters field for both PRFs and
Encryption Schemes.
* If a null encryption scheme AlgorithmParameterSpec is provided
during init time, omit the PBES2-params.encryptionScheme's parameter
segment since it is OPTIONAL per the ASN.1 from RFC 5280
More details are in the CSR.
CSR: https://bugs.openjdk.java.net/browse/JDK-8221936
Bug: https://bugs.openjdk.java.net/browse/JDK-8076999
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8076999/webrev.01/
--Jamil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190524/131f4d22/attachment.htm>
More information about the security-dev
mailing list