PKCS #12 keystore with no/empty password - null or empty char[]?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS #12 keystore with no/empty password - null or empty char[]?

Ville Skyttä
When loading or storing a PKCS #12 keystore, the BC (1.29) and SunJSSE
(from J2SE 1.5.0_03) implementations seem to be incompatible wrt. empty
or missing passwords:

- If passed null as the password, the BC provider throws an exception
  about no password being supplied, while the SunJSSE implementation is
  happy with it.

- If passed an empty char array as the password, the BC provider is
  happy, but the SunJSSE implementation throws an ArithmeticException
  (division by zero).

Which one should be fixed, BC or SunJSSE, or both?


Reply | Threaded
Open this post in threaded view
|

Re: PKCS #12 keystore with no/empty password - null or empty char[]?

David Hook-4

There are other differences as well - you have to be very careful about
mixing and matching PKCS12 providers, PKCS12 allows a certain
"flexibility" in how you interpret the file structure.

Having said that a zero length password is acceptable to the PKCS12 key
generation algorithm - I would say this was a bug in the JSSE (my guess
is that null will decrypt a file encrypted with a zero length password
correctly, if it doesn't I'd be fascinated to know what it's doing...).

Regards,

David

On Sun, 2005-06-26 at 16:13 +0300, Ville Skyttä wrote:

> When loading or storing a PKCS #12 keystore, the BC (1.29) and SunJSSE
> (from J2SE 1.5.0_03) implementations seem to be incompatible wrt. empty
> or missing passwords:
>
> - If passed null as the password, the BC provider throws an exception
>   about no password being supplied, while the SunJSSE implementation is
>   happy with it.
>
> - If passed an empty char array as the password, the BC provider is
>   happy, but the SunJSSE implementation throws an ArithmeticException
>   (division by zero).
>
> Which one should be fixed, BC or SunJSSE, or both?
>
>


Reply | Threaded
Open this post in threaded view
|

Re: PKCS #12 keystore with no/empty password - null or empty char[]?

Ville Skyttä
On Mon, 2005-06-27 at 11:06 +1000, David Hook wrote:
> There are other differences as well - you have to be very careful about
> mixing and matching PKCS12 providers, PKCS12 allows a certain
> "flexibility" in how you interpret the file structure.

Yep, I think I'll keep "hardcoding" use of the BC implementation in
Portecle at least for now, that's required for Java 1.4 anyway.

> Having said that a zero length password is acceptable to the PKCS12 key
> generation algorithm - I would say this was a bug in the JSSE

Ok, I'll take a look at filing a bug about this soonish to see what they
think.  Thanks.

>  (my guess
> is that null will decrypt a file encrypted with a zero length password
> correctly, if it doesn't I'd be fascinated to know what it's doing...).

It seems to behave as expected when passed null as the password.