Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: P4
Fix Version/s: 21
Affects Version/s: None
Component/s: security-libs
Labels:
- release-note=yes

Subcomponent:
java.security
Resolved In Build:
b24

Both `PKCS8Key::<init>(byte[])` and `X509::decode(byte[])` wrap the input bytes into a `ByteArrayInputStream` and then parse it. This means if there are any extra bytes after the end of the key they will not be detected and the key parsing succeeds.

This can be demonstrated with
```
KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(Arrays.copyOf(
KeyPairGenerator.getInstance("EC").generateKeyPair().getPublic().getEncoded(), 1000)));
```

relates to

JDK-8319937 KeyFactory.generatePublic throws if spec decoded from input with extra bytes

Closed

links to

Commit openjdk/jdk/148df533

Review openjdk/jdk/13958

Release Note: KeyFactory Will Reject EncodedKeySpec With Extra Bytes at the End

Resolved

Weijun Wang

Assignee:: Weijun Wang

Reporter:: Weijun Wang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023-05-12 08:05

Updated:: 2023-11-13 07:01

Resolved:: 2023-05-18 14:25

Details

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates