RFR: 8296442: EncryptedPrivateKeyInfo can be created with an uninitialized AlgorithmParameters
Weijun Wang
weijun at openjdk.org
Thu Nov 10 14:39:20 UTC 2022
On Thu, 10 Nov 2022 05:42:27 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> src/java.base/share/classes/javax/crypto/EncryptedPrivateKeyInfo.java line 423:
>>
>>> 421: // wrap everything into a SEQUENCE
>>> 422: out.write(DerValue.tag_Sequence, tmp);
>>> 423: return out.toByteArray();
>>
>> I'd rather not cache the encoding. First, the cache makes the class mutable. Second, `getEncode` should usually only be called once and the cache is not so useful. Third, this avoids an unnecessary clone (on the line below).
>
> I'm not very sure of the 2nd point. Is it possible the class could be a long term object, and used multiple time? Anyway, the encoding should be fast and may not worthy of a mutable design.
Well, maybe not very sure. IMO, the class itself only does decryption so most likely one reads the encrypted key from a file and then call one of the `getKeySpec` methods to extract the key inside. If doing an encryption, user has to encrypt it on their own and then call one of the constructors with 2 arguments, and then might call `getEncoded` to store it somewhere. This only needs to be done once.
-------------
PR: https://git.openjdk.org/jdk/pull/11067
More information about the security-dev
mailing list