RFR: 8308010: X509Key and PKCS8Key allows garbage bytes at the end

Weijun Wang weijun at openjdk.org
Wed May 17 18:55:53 UTC 2023


On Wed, 17 May 2023 18:14:38 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> When parsing a byte array to a private or public key, it's now converted to a `ByteArrayInputStream` and the parser does not report an error if there are extra bytes at the end.
>
> src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java line 99:
> 
>> 97:         } catch (IOException e) {
>> 98:             throw new InvalidKeyException("IOException: " +
>> 99:                     e.getMessage());
> 
> How about including the cause in the IKE? Also, I suggest an error message such as "unable to decode key".
> 
> Same comments for `X509Key`.

Oh, that was old behavior. Would you like the same for https://github.com/openjdk/jdk/blob/199c84a0a2b74f855d75871a26205e05bcf8dc4b/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java#L138 as well?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13958#discussion_r1196933541


More information about the security-dev mailing list