[
https://issues.apache.org/jira/browse/DERBY-4229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13461027#comment-13461027
]
Dag H. Wanvik commented on DERBY-4229:
--------------------------------------
It seems encryptionKeyLength can be used with *both* bootPassword and
encryptionKey, cf this code comment in JCECipherFactory.java:
490 // note: Attribute.CRYPTO_KEY_LENGTH is set during creation time to
a supported
491 // key length in the connection url. Internally , two values are
stored in this property
492 // if encryptionKey is used, this property will have only the
encoded key length
493 // if boot password mechanism is used, this property will have the
following
494 // keylengthBits-EncodedKeyLength
Using both bootPassword and encryptionKey throws an exception, cf. this code:
// incorrect to specify external key and boot password
563 if (properties.getProperty((newAttrs ?
564 Attribute.NEW_BOOT_PASSWORD :
565 Attribute.BOOT_PASSWORD)) !=
null)
566 throw
StandardException.newException(SQLState.SERVICE_WRONG_BOOT_PASSWORD);
SERVICE_WRONG_BOOT_PASSWORD is SQL state "XBM06", btw, but I don't think we
document that..
- Your question as to the finals statement in the docs: Now, if the keylength
specified is wrong, the code call
> keyGen.init(keyLengthBits);
will throw InvalidParameterException in JCECipherFactory#generateUniqueBytes.
IPE is not a checked exception, so presumably it would get caught somewhere,
and converted to an SQLException, new test in order!!
> encryptionKeyLength connection attribute should be documented
> -------------------------------------------------------------
>
> Key: DERBY-4229
> URL: https://issues.apache.org/jira/browse/DERBY-4229
> Project: Derby
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 10.5.1.1
> Reporter: Kathey Marsden
> Assignee: Kim Haase
> Fix For: 10.5.2.0
>
> Attachments: cdevcsecure67151.html, DERBY-4229-2.diff,
> DERBY-4229-2.stat, DERBY-4229.diff, rrefattribencryptkeylength.html
>
>
> The developer guide says:
> The length of the encryption key depends on the algorithm used:
> AES (128, 192, and 256 bits)
> DES (the default) (56 bits)
> DESede (168 bits)
> All other algorithms (128 bits)
> Note: The boot password should have at least as many characters as number of
> bytes in the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16
> bytes). The minimum number of characters for the boot password allowed by
> Derby is eight.
> For AES, however, it does not tell how to change the default key length of
> 128. This can be changed with the encryptionKeyLength connection attribute.
> The documentation should also specify that special policy files for the JRE
> may be necessary to accomodate the longer length.
> Also note that there is an outstanding issue DERBY-3710 regarding length of
> 192 for AES.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
