RFR: 8308010: X509Key and PKCS8Key allows garbage bytes at the end
Sean Mullan
mullan at openjdk.org
Wed May 17 18:17:50 UTC 2023
On Fri, 12 May 2023 16:23:53 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> When parsing a byte array to a private or public key, it's now converted to a `ByteArrayInputStream` and the parser does not report an error if there are extra bytes at the end.
src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java line 99:
> 97: } catch (IOException e) {
> 98: throw new InvalidKeyException("IOException: " +
> 99: e.getMessage());
How about including the cause in the IKE? Also, I suggest an error message such as "unable to decode key".
Same comments for `X509Key`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13958#discussion_r1196897272
More information about the security-dev
mailing list