[
https://issues.apache.org/jira/browse/CRYPTO-157?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hendrik Saly updated CRYPTO-157:
--------------------------------
Description:
CryptoInputStream and CryptoOutputStream are not allowing other
AlgorithmParameterSpec than IvParameterSpec. B they both claim to support any
mode of operations, but without submitting a GCMParameterSpec its not possible
to define a authentication tag length in GCM mode. Despite of that I am not
sure if cipher in GCM is ever properly initialized without a GCMParameterSpec
(if there is a default for tLen and its not 128 than the cipher is IMHO not
properly initialized).
The other thing is that modes which do not need an AlgorithmParameterSpec (like
ECB) are also maybe not properly initialized. Not sure if ECB just ignores the
given IvParameterSpec. I suggest to just allow null here and if null is given
call the cipher.init(mode, key) method without AlgorithmParameterSpec.
[https://github.com/apache/commons-crypto/blob/6b1a6968c68930e970ab4a9c21885e4872318bab/src/main/java/org/apache/commons/crypto/stream/CryptoInputStream.java#L198]
[https://github.com/apache/commons-crypto/blob/6b1a6968c68930e970ab4a9c21885e4872318bab/src/main/java/org/apache/commons/crypto/stream/CryptoOutputStream.java#L184]
Happy to create a PR if bug is confirmed.
was:
CryptoInputStream and CryptoOutputStream are not allowing other
AlgorithmParameterSpec than IvParameterSpec. B they both claim to support any
mode of operations, but without submitting a GCMParameterSpec its not possible
to define a authentication tag length in GCM mode. Despite of that I am not
sure if cipher in GCM is ever properly initialized without a GCMParameterSpec
(if there is a default for tLen and its not 128 than the cipher is IMHO not
properly initialized).
The other thing is that modes which do not need an AlgorithmParameterSpec (like
ECB) are also maybe not peroperly initialized. Not sure if ECB just ignores the
given IvParameterSpec. I suggest to just allow null here and if null is given
call the cipher.init(mode, key) method without AlgorithmParameterSpec.
[https://github.com/apache/commons-crypto/blob/6b1a6968c68930e970ab4a9c21885e4872318bab/src/main/java/org/apache/commons/crypto/stream/CryptoInputStream.java#L198]
[https://github.com/apache/commons-crypto/blob/6b1a6968c68930e970ab4a9c21885e4872318bab/src/main/java/org/apache/commons/crypto/stream/CryptoOutputStream.java#L184]
Happy to create a PR if bug is confirmed.
> Authentication tag length cannot be specified for CryptoInputStream
> -------------------------------------------------------------------
>
> Key: CRYPTO-157
> URL: https://issues.apache.org/jira/browse/CRYPTO-157
> Project: Commons Crypto
> Issue Type: Bug
> Components: Stream
> Reporter: Hendrik Saly
> Priority: Major
>
> CryptoInputStream and CryptoOutputStream are not allowing other
> AlgorithmParameterSpec than IvParameterSpec. B they both claim to support any
> mode of operations, but without submitting a GCMParameterSpec its not
> possible to define a authentication tag length in GCM mode. Despite of that I
> am not sure if cipher in GCM is ever properly initialized without a
> GCMParameterSpec (if there is a default for tLen and its not 128 than the
> cipher is IMHO not properly initialized).
> The other thing is that modes which do not need an AlgorithmParameterSpec
> (like ECB) are also maybe not properly initialized. Not sure if ECB just
> ignores the given IvParameterSpec. I suggest to just allow null here and if
> null is given call the cipher.init(mode, key) method without
> AlgorithmParameterSpec.
> [https://github.com/apache/commons-crypto/blob/6b1a6968c68930e970ab4a9c21885e4872318bab/src/main/java/org/apache/commons/crypto/stream/CryptoInputStream.java#L198]
>
> [https://github.com/apache/commons-crypto/blob/6b1a6968c68930e970ab4a9c21885e4872318bab/src/main/java/org/apache/commons/crypto/stream/CryptoOutputStream.java#L184]
>
> Happy to create a PR if bug is confirmed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
