[ http://issues.apache.org/jira/browse/DERBY-746?page=all ]
Kristian Waagan updated DERBY-746:
----------------------------------
Attachment: derby-746.diff
derby-746.stat
Stat and diff for the patch (against revision 365637).
No new files added.
Derbyall ran without errors 32 bit (chroot) Gentoo Linux (6 suites skipped - no
db2jcc).
The test will fail on Solaris 10 with J2SE 5.0 due to another problem, see
DERBY-788.
Patch description:
* JCECipherFactory.boot() now checks the output from the fromHexString-method
and throws an exception if it is invalid, instead of failing with NPE.
* Added 2 new SQLStates and messages (only English)
* Added 2 new test cases (invalid char in encryption key and encryption key of
with odd length).
* Updated master file.
> NullPointerException when 'encryptionKey' length is an odd number, or it
> contains invalid chars
> -----------------------------------------------------------------------------------------------
>
> Key: DERBY-746
> URL: http://issues.apache.org/jira/browse/DERBY-746
> Project: Derby
> Type: Bug
> Components: Security
> Versions: 10.1.1.2, 10.1.2.1, 10.2.0.0, 10.1.3.0, 10.1.2.2
> Environment: All environments.
> Reporter: Kristian Waagan
> Assignee: Kristian Waagan
> Priority: Minor
> Attachments: derby-746.diff, derby-746.stat
>
> When booting/creating an encrypted database, a NullPointerException is thrown
> if the length of the connection string attribute 'encryptionKey' is an odd
> number, or the encryption key contains invalid characters for hexadecimal
> numbers (char not in the set [0-9a-fA-F]).
> The reason for the exception being thrown, is that the method
> 'iapi.util.StringUtil.fromHexString(String, int, int)' returns null for the
> cases described above. The code calling the method in
> 'JCECipherFactory.boot(boolean, Properties)' does not check that the return
> value is not null.
> A related trivial issue is that 'fromHexString' does not allow the caller to
> see the distinction between a string with invalid length and a string
> containing invalid characters (both cases return null).
> [To reproduce]
> (connection string copied from test 'store/encryptionKey.sql' and then
> modified)
> Supply the following connection string, for instance in ij:
> connect
> 'jdbc:derby:encdbcbc_key;create=true;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKey=6162636465666768696162636465656';
> (deleted the last digit in the encryption key)
> 'jdbc:derby:encdbcbc_key;create=true;dataEncryption=true;encryptionAlgorithm=DES/CBC/NoPadding;encryptionKey=6162636465666768696162636465656X';
> (replaced last digit with an X)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
