RFR: 8308010: X509Key and PKCS8Key allows garbage bytes at the end
Weijun Wang
weijun at openjdk.org
Wed May 17 18:55:53 UTC 2023
On Wed, 17 May 2023 18:14:38 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> When parsing a byte array to a private or public key, it's now converted to a `ByteArrayInputStream` and the parser does not report an error if there are extra bytes at the end.
>
> src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java line 99:
>
>> 97: } catch (IOException e) {
>> 98: throw new InvalidKeyException("IOException: " +
>> 99: e.getMessage());
>
> How about including the cause in the IKE? Also, I suggest an error message such as "unable to decode key".
>
> Same comments for `X509Key`.
Oh, that was old behavior. Would you like the same for https://github.com/openjdk/jdk/blob/199c84a0a2b74f855d75871a26205e05bcf8dc4b/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java#L138 as well?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13958#discussion_r1196933541
More information about the security-dev
mailing list