On Thu, 28 Jul 2022 21:51:48 GMT, Bradford Wetmore <wetm...@openjdk.org> wrote:
>>> Needs regression tests. >>> >>> Have you looked at the other Key(Pair)Generators? We've probably added more >>> when this bug was filed. I took a quick look at some, and they were >>> covered. (DES/DESede/Blowfish/AES/etc.) >> >> @bradfordwetmore The bug mentions only the Hmac*KeyGenerators. I thought >> about this too, but you mentioned in your initial triage comment on the bug >> that it should be treated as only relevant to the classes I modified. >> Thoughts? > > What bug/Sean meant was that we wouldn't put in a check into java.security.* > framework, but rather in sun.security.* implementation. And that we don't > need to put "SunJCE" in this particular throws message, as we'll know where > it is from the stack trace. > > My comment agrees that we have a problem in the JCE Hmac code, but there > might be other locations where init's like this might allow for invalid 0 > values. It's just a general idea to check we didn't make the same issue > elsewhere. Other (newer) HmacXXX KeyGenerator enforces min key size to be 40. So, perhaps just enforce the same lower limit or just check for <0? ------------- PR: https://git.openjdk.org/jdk/pull/9679
