I did consider the approach below, especially since it saves an extra call to Mac.getInstance. However one motivation for fixing the original issue was to better facilitate third-party JCE providers and I know of one provider that does support empty passwords which will never get selected if that approach is used.
> On 20 Aug 2016, at 01:30, Weijun Wang <weijun.w...@oracle.com> wrote: > > How about > > this.prf = (passwdBytes.length == 0) ? > Mac.getInstance(prfAlgo, SunJCE.getInstance()) : > Mac.getInstance(prfAlgo); > > Mac is only implemented in SunPKCS11 and SunJCE out-of-box, so this saves an > extra getInstance() call. > > If a 3rd party provider is involved, I'm not sure it supports an empty > password (I have a feeling that except for Java everyone else are using the > same C codes. Maybe not Microsoft), and this call is safer. > > --Max > > On 8/20/2016 5:18, Valerie Peng wrote: >> Looks fine to me. >> Thanks, >> Valerie >> >> On 8/19/2016 9:57 AM, Vincent Ryan wrote: >>> Please review this fix to PBE key derivation function which detects >>> when a non-empty password >>> is supplied to the SunPKCS11-Solaris JCE provider and fails over to >>> the SunJCE provider instead. >>> Thanks. >>> >>> Bug: https://bugs.openjdk.java.net/browse/JDK-8164494 >>> Webrev: http://cr.openjdk.java.net/~vinnie/8164494/webrev.00/ >>> <http://cr.openjdk.java.net/%7Evinnie/8164494/webrev.00/> >>> >>
