[
https://issues.apache.org/jira/browse/DERBY-6537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13993470#comment-13993470
]
Dyre Tjeldvoll commented on DERBY-6537:
---------------------------------------
Although not obvious, I believe the various key length descriptions can be
found in the [Creating a boot
password|https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/devguide/cdevcsecure866716.html]
section:
{quote}
The length of the encryption key depends on the algorithm used:
AES (128, 192, and 256 bits)
DES (the default) (56 bits)
DESede (168 bits)
All other algorithms (128 bits)
Note: The boot password should have at least as many characters as number of
bytes in the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16
bytes). The minimum number of characters for the boot password allowed by Derby
is eight.""
{quote}
>From which we can deduce that a DES key must have an 8 byte binary
>representation. In a hex string each digit represents a half-byte so this
>corresponds to a hex string with at least 16 digits.
The number of digits must also even - the code fix suggested above is
considered risky as it may have backward compatibility problems.
And yes, the closing apostrophe looks like a typo.
> StringUtil.fromHexString is used to convert encryptionKey to byte[]
> -------------------------------------------------------------------
>
> Key: DERBY-6537
> URL: https://issues.apache.org/jira/browse/DERBY-6537
> Project: Derby
> Issue Type: Bug
> Components: Documentation, Services
> Affects Versions: 10.10.1.1
> Reporter: Dyre Tjeldvoll
> Assignee: Kim Haase
> Priority: Minor
> Attachments: DERBY-6537.diff, DERBY-6537.stat, DERBY-6537.zip
>
>
> The javadoc for StringUtil.fromHexString states that its intended use is to
> "Convert a hexidecimal string generated by toHexString() back into a byte
> array", and that null is returned if the length of the hex-string is not
> even.
> But in JCECipherFactory.init() it is being used to convert the encryptionKey
> property string to byte[]. For this usage such a restriction makes no sense,
> and is confusing as it is not documented (at least not in the dev guide
> chapter about encrypting databases).
> For this usage it would be better to use
> new BigInt(encryptionKey,16).toByteArray() which would not have this
> restriction. But even with this change the documentation should probably be
> updated to state that the value for the key must be a valid hex-string, as
> that is what it will be interpreted as. The first section of the doc should
> probably also mention that DES is the default algo, and what its minimum key
> length requirements are (now you need to look at the section about specifying
> an alternate algo, to find that).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
