JDK-8158534 : DrbgParameters strength parameter is underspecified if < -1
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 9
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- Submitted: 2016-06-02
- Updated: 2017-05-17
- Resolved: 2016-06-12
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 9 |
|---|
9 b123Fixed  |
Related Reports
|
Relates :
|
Description
From looking at the code, it looks like the implementation treats any value for the strength parameter that is < 0 as a default strength. In that case, I think the API should be updated to specify that. In fact, it is currently underspecified since it does not say how values < -1 are handled. However, it may be more reasonable to throw IllegalArgumentException if the strength parameter is < -1. This affects the instantiation and nextBytes methods which both take a strength parameter.
Comments
|