Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4953557

initialization with too long key does not fail using javax.crypto.Cipher.init(in

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Not an Issue
    • Affects Version/s: 5.0
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description



      Name: iiR10263 Date: 11/13/2003



      The specification describes the following exceptions that are thrown
      by javax.crypto.Cipher.init(int, Key):

      Throws:
      InvalidKeyException - if the given key is inappropriate for
      initializing this cipher, or if this cipher is being initialized for
      decryption and requires algorithm parameters that cannot be determined
      from the given key, or if the given key has a keysize that exceeds the
      maximum allowable keysize (as determined from the configured
      jurisdiction policy files).

      It seems that the implementation does not check if a key is too long.

      Please find the code example that reproduses the situation below:

      import java.io.PrintWriter;
      import java.security.InvalidKeyException;
      import java.security.Key;
      import java.security.AlgorithmParameters;
      import java.security.spec.KeySpec;
      import javax.crypto.Cipher;
      import javax.crypto.SecretKeyFactory;
      import javax.crypto.spec.PBEKeySpec;
      import javax.crypto.spec.SecretKeySpec;
                                                                     
      public class e6 {
                                                                     
          public static void main(String argv[]) {
              Key k;
              Cipher c;
              AlgorithmParameters params = null;
                                                                     
              String alg = "PBEWITHMD5ANDDES";
              byte[] salt = {
                  (byte)0xc7, (byte)0x73, (byte)0x21, (byte)0x8c,
                  (byte)0x7e, (byte)0xc8, (byte)0xee, (byte)0x99
              };
              int count = 20;
              String s = "My wonderfull password that is long enough.
                  "Tra-la-la, let me sing a song";
                                                                     
              try {
                  int kl = Cipher.getMaxAllowedKeyLength(alg);
                                                                     
                  if (kl != Integer.MAX_VALUE) {
                      int l = kl + 8;
                      SecretKeyFactory skf =
                          SecretKeyFactory.getInstance(alg);
                                                                     
                      PBEKeySpec ks = new PBEKeySpec(s.toCharArray(),
                          count, l);
                                                                     
                      if (ks.getKeyLength() != l) {
                          System.out.println("The generated key will
                              "strange length (not " + l + ")");
                      } else {
                          System.out.println("The generated key will
                              "have length " + l);
                      }
                                                                     
                      // PBE algorithm is symmetric.
                      k = skf.generateSecret(ks);
                                                                     
                      c = Cipher.getInstance(alg);
                                                                     
                      try {
                          c.init(Cipher.ENCRYPT_MODE, k);
                          System.out.println("Where is my exception?"
                      } catch (InvalidKeyException e) {
                      }
                  }
              } catch (Exception e) {
                  e.printStackTrace(System.out);
              }
          }
      }
      Test output:
      The generated key will have length 136
      Where is my exception?

      The situation is the same for all other algorithms.

      java full version "1.5.0-beta-b26"

      ======================================================================

        Attachments

          Activity

            People

            • Assignee:
              valeriep Valerie Peng
              Reporter:
              duke J. Duke (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: