RFR: 8358159: Empty mode/padding in cipher transformations [v3]
Varada M
varadam at openjdk.org
Thu Jun 5 11:30:42 UTC 2025
On Wed, 4 Jun 2025 18:13:59 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/java.base/share/classes/javax/crypto/Cipher.java line 393:
>>
>>> 391: this.suffix = suffix.toUpperCase(Locale.ENGLISH);
>>> 392: this.mode = ((mode == null) || mode.isEmpty()) ? null : mode;
>>> 393: this.pad = ((pad == null) || pad.isEmpty()) ? null : pad;
>>
>> Thanks for reporting and fixing this issue.
>> Since this is an internal class used solely inside `Cipher` class, instead of changing the empty string to null inside the `Transform` constuctor, we can do that before calling `Transform` constructor. Also if one of `mode` or `pad` is empty, then maybe we don't need all 4 `Transform`s.
>
> For example, line 457, 458, we can do something like:
>
> String mode = (parts[1].length() == 0 ? null : parts[1]);
> String pad = (parts[2].length() == 0 ? null : parts[2]);
>
> When populating the `list `(after line 467), we can skip the Tranform if the required component is missing, e.g.
>
> List<Transform> list = new ArrayList<>(4);
> if ((mode != null) && (pad != null)) {
> list.add(new Transform(alg, "/" + mode + "/" + pad, null, null));
> }
Thank you @valeriepeng. I have made the suggested changes. Did the jtreg testing too, it looks good.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25547#discussion_r2128613087
More information about the security-dev
mailing list