RFR: 8320449: ECDHKeyAgreement should validate parameters before using them
Sean Mullan
mullan at openjdk.org
Fri Jan 12 20:46:23 UTC 2024
On Fri, 12 Jan 2024 15:30:33 GMT, John Jiang <jjiang at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ec/ECDHKeyAgreement.java line 83:
>>
>>> 81: privateKey = null;
>>> 82: privateKeyOps = null;
>>> 83: publicKey = null;
>>
>> The fields should be initialized to null, so I don't think you need these lines.
>
> KeyAgreement ka = KeyAgreement.getInstance("ECDH");
> ka.init(key1);
> ka.init(key2);
>
> If no those lines, when the second `init` throws exception, and the keys set by the first `init` are not cleared.
> Please consider the test case `testInitWithInvalidKey` in `ECDHKeyAgreementParamValidation`.
Yes, you are right.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17373#discussion_r1450907385
More information about the security-dev
mailing list