[
http://issues.apache.org/jira/browse/DERBY-788?page=comments#action_12366386 ]
Sunitha Kambhampati commented on DERBY-788:
-------------------------------------------
Since the test is testing the codepath when encryptionKey attribute is used,
changing the test so it passes with the JCE provider on Solaris
(SunPCKS11-Solaris) should be ok and I think this is what we should do ( either
implement 1 or 2)
1) change test to either use DES with 8byte encryptionKey
2) change test to use AES algorithm with 16byte encryptionKey provided AES
support is available with the PCKS11-Solaris.
That should solve the test failure issue and we would still be testing this
case for encryptionKey.
Just as an fyi , I tried the first connection url with AES and it works ok with
the Sun JCE with jdk 142 on windows.
=====================
That said, I think it is interesting that we cant expect the translateKey to
always translate the key for us.
I found this in the java api for SecretKeySpec.
public SecretKeySpec(byte[] key,
String algorithm)Constructs a secret key from the given
byte array.
This constructor does not check if the given bytes indeed specify a secret key
of the specified algorithm. For example, if the algorithm is DES, this
constructor does not check if key is 8 bytes long, and also does not check for
weak or semi-weak keys. In order for those checks to be performed, an
algorithm-specific key specification class (in this case: DESKeySpec) should be
used.
In derby code, there is
// Since the key may be a series of bytes generated by an arbitary means
// we need to translate it into a key suitable for the algorithm.
secretKey = skf.translateKey(new SecretKeySpec(secretKey.getEncoded(),
secretKey.getAlgorithm()));
I think you are right about - that we cannot assume that invalid key checks
would not happen with the call. I looked at the Java api for 1.4.2 but I didnt
find any AES specific KeySpec but found for others like DES and DESede.
I think we should open another jira so we can record what we learnt here so we
can improve this.
Thanks Kristian for your analysis and following up on this jira.
> 'store/encryptionKey.sql' fails on Solaris 10
> ---------------------------------------------
>
> Key: DERBY-788
> URL: http://issues.apache.org/jira/browse/DERBY-788
> Project: Derby
> Type: Bug
> Components: Services, Test, Regression Test Failure
> Versions: 10.0.2.1, 10.1.1.2, 10.1.2.1
> Environment: Solaris 10 (generic hardware)
> Sun JDK 5.0 with the 'SunPCKS11-Solaris' Java Security provider
> Reporter: Kristian Waagan
> Priority: Minor
> Fix For: 10.2.0.0
>
> The 'store/encryptionKey.sql' test fails on Solaris 10.
> Investigation revealed that the failure is caused by a difference in behavior
> between the 'SunPCKS11-Solaris' provider and other providers (tested with
> 'SunJCE' and 'IBMJCE').
> The initialization of the DES cipher fails because the 16 byte key (specified
> in the test) is not translated to a 8 byte DES key by
> SecretKeyFactory.translateKey(). This might be a bug in the provider (I don't
> know the spec). Enquiries are being made.
> The exception is being thrown from the constructor of
> 'impl.services.jce.JCECipherProvider'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
