The while(true) in PKCS12KeyStore.java seems like it isn't really
necessary, since you are calling the code inside it at most twice. I
think a better approach would be to move lines 2134-2146 into a utility
method and call it again if you get an Exception and the password is empty.
Looks fine otherwise.
--Sean
On 4/27/18 12:56 PM, Weijun Wang wrote:
Please take a look at
http://cr.openjdk.java.net/~weijun/8202299/webrev.00/
Turns out we have to retry [0] other than [] in all 3 locations: decrypting
keys, decrypting certs, and verifying the mac.
Thanks
Max
p.s. You might wonder why suddenly in Windows Server 2016, Microsoft starts
using [0] to generate the Mac. In fact, they have been doing this all the time.
However, before 2016, they also encrypted the certificates, and to decrypt
them, Java has already changed password from [] to [0].
p.p.s. But is this correct? Should the certificate decryption code only
temporarily retries [0] but not changing password itself? Well, maybe. But
unless a weird software sometimes uses [] and sometimes [0], this will not be a
problem, and changing password itself saves us some cycles from always trying
twice.