RFR: 6227536: KeyGenerator.init() methods do not throw IllegalArgumentException for keysize == 0 [v2]
Valerie Peng
valeriep at openjdk.org
Thu Jul 28 23:03:34 UTC 2022
On Thu, 28 Jul 2022 22:55:55 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> What bug/Sean meant was that we wouldn't put in a check into java.security.* framework, but rather in sun.security.* implementation. And that we don't need to put "SunJCE" in this particular throws message, as we'll know where it is from the stack trace.
>>
>> My comment agrees that we have a problem in the JCE Hmac code, but there might be other locations where init's like this might allow for invalid 0 values. It's just a general idea to check we didn't make the same issue elsewhere.
>
> Other (newer) HmacXXX KeyGenerator enforces min key size to be 40. So, perhaps just enforce the same lower limit or just check for <0?
Also, it'd be nice to include HmacMD5 and HmacSHA1 to the bug synopsis as KeyGenerator covers many algorithms. Would be nice to add SunJCE provider to synopsis, so it's clear that this change/fix is provider-specific.
-------------
PR: https://git.openjdk.org/jdk/pull/9679
More information about the security-dev
mailing list