RFR: 8320449: ECDHKeyAgreement should validate parameters before using them
John Jiang
jjiang at openjdk.org
Fri Jan 12 15:33:22 UTC 2024
On Fri, 12 Jan 2024 13:46:43 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> ECDHKeyAgreement should validate the parameters before assigning them to the fields.
>
> src/java.base/share/classes/sun/security/ec/ECDHKeyAgreement.java line 83:
>
>> 81: privateKey = null;
>> 82: privateKeyOps = null;
>> 83: publicKey = null;
>
> The fields should be initialized to null, so I don't think you need these lines.
KeyAgreement ka = KeyAgreement.getInstance("ECDH");
ka.init(key1);
ka.init(key2);
If no those lines, when the second `init` throws exception, and the keys set by the first `init` are not cleared.
Please consider the test case `testInitWithInvalidKey` in `ECDHKeyAgreementParamValidation`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17373#discussion_r1450607215
More information about the security-dev
mailing list