db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-4229) encryptionKeyLength connection attribute should be documented
Date Sat, 22 Sep 2012 04:57:08 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13461027#comment-13461027

Dag H. Wanvik commented on DERBY-4229:

It seems encryptionKeyLength can be used with *both* bootPassword and encryptionKey, cf this
code comment in JCECipherFactory.java:

490        // note: Attribute.CRYPTO_KEY_LENGTH is set during creation time to a supported
491        // key length in the connection url. Internally , two values are stored in this
492        // if encryptionKey is used, this property will have only the encoded key length
493        // if boot password mechanism is used, this property will have the following
494        // keylengthBits-EncodedKeyLength

Using both bootPassword and encryptionKey throws an exception, cf. this code:

// incorrect to specify external key and boot password
563                if (properties.getProperty((newAttrs ?
564                                            Attribute.NEW_BOOT_PASSWORD :
565                                            Attribute.BOOT_PASSWORD)) != null)
566                    throw StandardException.newException(SQLState.SERVICE_WRONG_BOOT_PASSWORD);

SERVICE_WRONG_BOOT_PASSWORD is SQL state "XBM06", btw, but I don't think we document that..

- Your question as to the finals statement in the docs: Now, if the keylength specified is
wrong, the code call

>  keyGen.init(keyLengthBits);

will throw InvalidParameterException in JCECipherFactory#generateUniqueBytes. IPE is not a
checked exception, so presumably it would get caught somewhere, and converted to an SQLException,
new test in order!!
> encryptionKeyLength connection attribute should be documented
> -------------------------------------------------------------
>                 Key: DERBY-4229
>                 URL: https://issues.apache.org/jira/browse/DERBY-4229
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions:
>            Reporter: Kathey Marsden
>            Assignee: Kim Haase
>             Fix For:
>         Attachments: cdevcsecure67151.html, DERBY-4229-2.diff, DERBY-4229-2.stat, DERBY-4229.diff,
> The developer guide says:
> The length of the encryption key depends on the algorithm used:
> AES (128, 192, and 256 bits) 
> DES (the default) (56 bits) 
> DESede (168 bits) 
> All other algorithms (128 bits) 
> Note: The boot password should have at least as many characters as number of bytes in
the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16 bytes). The minimum number
of characters for the boot password allowed by Derby is eight.
> For AES, however,  it does not tell how to change the default key length  of 128.  This
can be changed with the encryptionKeyLength connection attribute.  The documentation should
also specify that special policy files for the JRE may be necessary to accomodate the longer
> Also note that there is an outstanding issue DERBY-3710 regarding length of 192 for AES.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message