Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 99925 invoked from network); 14 Feb 2006 21:54:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 14 Feb 2006 21:54:56 -0000 Received: (qmail 7602 invoked by uid 500); 14 Feb 2006 21:54:55 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 7567 invoked by uid 500); 14 Feb 2006 21:54:53 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 7558 invoked by uid 99); 14 Feb 2006 21:54:53 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Feb 2006 13:54:51 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id 4E8EEDD for ; Tue, 14 Feb 2006 22:54:30 +0100 (CET) Message-ID: <1614650977.1139954070318.JavaMail.jira@ajax.apache.org> Date: Tue, 14 Feb 2006 22:54:30 +0100 (CET) From: "Sunitha Kambhampati (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Commented: (DERBY-788) 'store/encryptionKey.sql' fails on Solaris 10 In-Reply-To: <1844336454.1136300522487.JavaMail.jira@ajax.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DERBY-788?page=comments#action_12366386 ] Sunitha Kambhampati commented on DERBY-788: ------------------------------------------- Since the test is testing the codepath when encryptionKey attribute is used, changing the test so it passes with the JCE provider on Solaris (SunPCKS11-Solaris) should be ok and I think this is what we should do ( either implement 1 or 2) 1) change test to either use DES with 8byte encryptionKey 2) change test to use AES algorithm with 16byte encryptionKey provided AES support is available with the PCKS11-Solaris. That should solve the test failure issue and we would still be testing this case for encryptionKey. Just as an fyi , I tried the first connection url with AES and it works ok with the Sun JCE with jdk 142 on windows. ===================== That said, I think it is interesting that we cant expect the translateKey to always translate the key for us. I found this in the java api for SecretKeySpec. public SecretKeySpec(byte[] key, String algorithm)Constructs a secret key from the given byte array. This constructor does not check if the given bytes indeed specify a secret key of the specified algorithm. For example, if the algorithm is DES, this constructor does not check if key is 8 bytes long, and also does not check for weak or semi-weak keys. In order for those checks to be performed, an algorithm-specific key specification class (in this case: DESKeySpec) should be used. In derby code, there is // Since the key may be a series of bytes generated by an arbitary means // we need to translate it into a key suitable for the algorithm. secretKey = skf.translateKey(new SecretKeySpec(secretKey.getEncoded(), secretKey.getAlgorithm())); I think you are right about - that we cannot assume that invalid key checks would not happen with the call. I looked at the Java api for 1.4.2 but I didnt find any AES specific KeySpec but found for others like DES and DESede. I think we should open another jira so we can record what we learnt here so we can improve this. Thanks Kristian for your analysis and following up on this jira. > 'store/encryptionKey.sql' fails on Solaris 10 > --------------------------------------------- > > Key: DERBY-788 > URL: http://issues.apache.org/jira/browse/DERBY-788 > Project: Derby > Type: Bug > Components: Services, Test, Regression Test Failure > Versions: 10.0.2.1, 10.1.1.2, 10.1.2.1 > Environment: Solaris 10 (generic hardware) > Sun JDK 5.0 with the 'SunPCKS11-Solaris' Java Security provider > Reporter: Kristian Waagan > Priority: Minor > Fix For: 10.2.0.0 > > The 'store/encryptionKey.sql' test fails on Solaris 10. > Investigation revealed that the failure is caused by a difference in behavior between the 'SunPCKS11-Solaris' provider and other providers (tested with 'SunJCE' and 'IBMJCE'). > The initialization of the DES cipher fails because the 16 byte key (specified in the test) is not translated to a 8 byte DES key by SecretKeyFactory.translateKey(). This might be a bug in the provider (I don't know the spec). Enquiries are being made. > The exception is being thrown from the constructor of 'impl.services.jce.JCECipherProvider'. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira