RFR: 6227536: KeyGenerator.init() methods do not throw IllegalArgumentException for keysize == 0 [v2]

Bradford Wetmore wetmore at openjdk.org
Thu Jul 28 21:53:51 UTC 2022


On Thu, 28 Jul 2022 21:43:19 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> @seanjmullan I thought about this, but I added it due to the bug describing that this would be implementation-specific rather than framework-specific. I can take it out.
>
>> Needs regression tests.
>> 
>> Have you looked at the other Key(Pair)Generators? We've probably added more when this bug was filed. I took a quick look at some, and they were covered. (DES/DESede/Blowfish/AES/etc.)
> 
> @bradfordwetmore The bug mentions only the Hmac*KeyGenerators. I thought about this too, but you mentioned in your initial triage comment on the bug that it should be treated as only relevant to the classes I modified. Thoughts?

What bug/Sean meant was that we wouldn't put in a check into java.security.* framework, but rather in sun.security.* implementation.  And that we don't need to put "SunJCE" in this particular throws message, as we'll know where it is from the stack trace.

My comment agrees that we have a problem in the JCE Hmac code, but there might be other locations where init's like this might allow for invalid 0 values.  It's just a general idea to check we didn't make the same issue elsewhere.

-------------

PR: https://git.openjdk.org/jdk/pull/9679



More information about the security-dev mailing list