RFR: 6227536: KeyGenerator.init() methods do not throw IllegalArgumentException for keysize == 0 [v2]

[Valerie Peng]

On Thu, 28 Jul 2022 21:51:48 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:

>>> Needs regression tests.
>>> 
>>> Have you looked at the other Key(Pair)Generators? We've probably added more when this bug was filed. I took a quick look at some, and they were covered. (DES/DESede/Blowfish/AES/etc.)
>> 
>> @bradfordwetmore The bug mentions only the Hmac*KeyGenerators. I thought about this too, but you mentioned in your initial triage comment on the bug that it should be treated as only relevant to the classes I modified. Thoughts?
>
> What bug/Sean meant was that we wouldn't put in a check into java.security.* framework, but rather in sun.security.* implementation.  And that we don't need to put "SunJCE" in this particular throws message, as we'll know where it is from the stack trace.
> 
> My comment agrees that we have a problem in the JCE Hmac code, but there might be other locations where init's like this might allow for invalid 0 values.  It's just a general idea to check we didn't make the same issue elsewhere.

Other (newer) HmacXXX KeyGenerator enforces min key size to be 40. So, perhaps just enforce the same lower limit or just check for <0?

-------------

PR: https://git.openjdk.org/jdk/pull/9679