db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sunitha Kambhampati (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-788) 'store/encryptionKey.sql' fails on Solaris 10
Date Tue, 14 Feb 2006 21:54:30 GMT
    [ http://issues.apache.org/jira/browse/DERBY-788?page=comments#action_12366386 ] 

Sunitha Kambhampati commented on DERBY-788:

Since the test is testing the codepath when encryptionKey attribute is used, changing the
test so it passes with the JCE provider on Solaris (SunPCKS11-Solaris) should be ok and I
think this is what we should do ( either implement 1 or 2)

1) change test to either use DES with 8byte encryptionKey 
2) change test to use AES algorithm with 16byte encryptionKey provided AES support is available
with the PCKS11-Solaris. 

That should solve the test failure issue and we would still be testing this case for encryptionKey.

Just as an fyi , I tried the first connection url with AES and it works ok with the Sun JCE
with jdk 142 on windows. 

That said, I think it is interesting that we cant expect the translateKey to always translate
the key for us. 

I found this in the java api for SecretKeySpec.
public SecretKeySpec(byte[] key,
                     String algorithm)Constructs a secret key from the given byte array. 
This constructor does not check if the given bytes indeed specify a secret key of the specified
algorithm. For example, if the algorithm is DES, this constructor does not check if key is
8 bytes long, and also does not check for weak or semi-weak keys. In order for those checks
to be performed, an algorithm-specific key specification class (in this case: DESKeySpec)
should be used. 

In derby code, there is 
	// Since the key may be a series of bytes generated by an arbitary means
	// we need to translate it into a key suitable for the algorithm.
	secretKey = skf.translateKey(new SecretKeySpec(secretKey.getEncoded(), secretKey.getAlgorithm()));

I think you are right  about - that we cannot assume that invalid key checks would not happen
with the call. I looked at the Java api for 1.4.2 but I didnt find any AES specific KeySpec
but found for others like DES and DESede. 

I think we should open another jira so we can record what we learnt here so we can improve

Thanks Kristian for your analysis and following up on this jira. 

> 'store/encryptionKey.sql' fails on Solaris 10
> ---------------------------------------------
>          Key: DERBY-788
>          URL: http://issues.apache.org/jira/browse/DERBY-788
>      Project: Derby
>         Type: Bug
>   Components: Services, Test, Regression Test Failure
>     Versions:,,
>  Environment: Solaris 10 (generic hardware)
> Sun JDK 5.0 with the 'SunPCKS11-Solaris' Java Security provider
>     Reporter: Kristian Waagan
>     Priority: Minor
>      Fix For:

> The 'store/encryptionKey.sql' test fails on Solaris 10.
> Investigation revealed that the failure is caused by a difference in behavior between
the 'SunPCKS11-Solaris' provider and other providers (tested with 'SunJCE' and 'IBMJCE').
> The initialization of the DES cipher fails because the 16 byte key (specified in the
test) is not translated to a 8 byte DES key by SecretKeyFactory.translateKey(). This might
be a bug in the provider (I don't know the spec). Enquiries are being made.
> The exception is being thrown from the constructor of 'impl.services.jce.JCECipherProvider'.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message