tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Attila Szegedi" <szege...@freemail.hu>
Subject Re: [PATCH] SSL how-to documentation
Date Tue, 25 Sep 2001 11:45:38 GMT
A quick look inside the source code of sun.security.provider.JavaKeyStore reveals the following
line in the getPreKeyedHash() method:

 md.update("Mighty Aphrodite".getBytes("UTF8"));

Background: They're storing a MD5 hash of the password in the keystore to ensure the keystore
was not tampered. To make the MD5 hash harder to crack (assuming the cracker is not smart
enough to itself study JDK sources), it is pre-keyed with the above tribute to Woody Allen.
As it appears nowhere in the specs, a cleanroom JDK could use another string to pre-key the
hash (potentially it could even not pre-key it at all). In this case, a keystore created with
Sun JDK would appear tampered when opened by a JDK that pre-keys the hash with "Everything
You Always Wanted to Know About Sex".

Attila.

> > 
> > Christopher Cain wrote:
> > > 
> > > Hi Patrick. Could you explain this a little further? Actually creating
> > a
> > > keystore using keytool of course has nothing to do with Tomcat per se,
> > so I
> > > assume you mean that the keystore created might not work with Tomcat.
> > Under
> > > what conditions would a keystore generated by one JDK not work with
> > another
> > > JDK? In testing, I was able to generate a keystore on a Windoze box
> > with JDK
> > > 1.3.1, copy it over to a Linux box running 1.3.0, and successfully
> > start up
> > > Tomcat and access a page over SSL. If you have a properly-formatted
> > JKS store,
> > > why would it matter which JDK produced it?
> > > 
 > 
> > -- 
> > _____________________________________________________________________
> > Patrick Luby                          Email: patrick.luby@sun.com
> > Software Engineering Manager          Phone: 408-863-3284
> > Sun Microsystems
> > 901 San Antonio Road, UCUP01-103
> > Palo Alto, CA 94303-4900
> > _____________________________________________________________________
> > 
> 
> 
> 
> - Christopher
> 
> /**
>  * Pleurez, pleurez, mes yeux, et fondez vous en eau!
>  * La moitiƩ de ma vie a mis l'autre au tombeau.
>  *    ---Corneille
>  */
> 

Mime
View raw message