RFR: 8296442: EncryptedPrivateKeyInfo can be created with an uninitialized AlgorithmParameters [v4]
Sean Mullan
mullan at openjdk.org
Wed Nov 16 14:26:05 UTC 2022
On Thu, 10 Nov 2022 14:51:54 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/x509/AlgorithmId.java line 177:
>>
>>> 175: // If still not initialized. Let the IOE be thrown.
>>> 176: }
>>> 177:
>>
>> This could be a risk change if the caller was not coded like what you do in the EncryptedPrivateKeyInfo.java update. Did you have a chance to check all caller codes and make sure it is a safe update.
>
> I double checked again. In all other cases, the params is either explicitly initialized right before the call, or it's retrieved from an initialized signature/cipher or another `AlgorithmId`. There is only one case that does not have an origin but the method is not called anywhere. I'll remove that method in my next commit.
Nit on line 168, remove space before "(".
-------------
PR: https://git.openjdk.org/jdk/pull/11067
More information about the security-dev
mailing list