Hi Götz, thank you for the review!
Best regards, Martin Von: Lindenmaier, Goetz <goetz.lindenma...@sap.com> Datum: Mittwoch, 19. Mai 2021 um 12:10 An: Doerr, Martin <martin.do...@sap.com>, jdk-updates-...@openjdk.java.net <jdk-updates-...@openjdk.java.net>, security-dev <security-dev@openjdk.java.net> Betreff: RE: [11u] RFR: 8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" Hi Martin, This looks good to me. The adaption makes sense. Best regards, Goetz. From: security-dev <security-dev-r...@openjdk.java.net> On Behalf Of Doerr, Martin Sent: Dienstag, 18. Mai 2021 17:03 To: jdk-updates-...@openjdk.java.net; security-dev <security-dev@openjdk.java.net> Subject: [11u] RFR: 8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" Hi, JDK-8266293 is backported to 11.0.12-oracle. The included test shows that the fix is required in 11u. Bug: https://bugs.openjdk.java.net/browse/JDK-8266293 Original change: https://git.openjdk.java.net/jdk/commit/04f71126479f9c39aa71e8aebe7196d72fc16796 It applies almost cleanly. Only the bug id addition in the test had to get done manually. However, the new code needs an adaptation because JDK11u doesn't contain KnownOIDs. One of the original author’s comments says: "Backporters might need to check case-insensitive equality to both "PBEWithMD5AndDES" and "1.2.840.113549.1.5.3" because both the algorithm name and OID can be specified through the system property." I've followed this suggestion directly. It should also be possible to do something tricky with AlgorithmId.pbeWithMD5AndDES_oid, but that seems to be more error-prone, so that is not my first choice for a backport. 11u backport: http://cr.openjdk.java.net/~mdoerr/8266293_keyprotection_11u/webrev.00/ Please review. Best regards, Martin
