JDK-8240776 : SunJCE provider should throw exceptions for unsupported mode and padding combinations
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 14
  • Submitted: 2020-03-09
  • Updated: 2020-03-12
  • Resolved: 2020-03-12
Related Reports
CSR :  
The changes have been integrated into JDK14 as a bug fix. This retroactive CSR is filed for reviewing the integrated changes.

Change SunJCE provider to throw NoSuchAlgorithmException or NoSuchPaddingException when CTR, CTS and GCM modes are requested with PKCS5Padding for a Cipher instance. Prior to the fix, it silently ignored the requested PKCS5Padding and proceeded as if no padding is requested.

SunJCE provider does not support padding to be used with CTR, CTS and GCM modes. For other paddings, SunJCE provider will throw exception indicating that these modes can only be used with "NoPadding". However, for PKCS5Padding, it fails to throw exception and instead ignores the PKCS5Padding request and proceeds. This is inconsistent and misleading. 

Change SunJCE provider to throw exception for PKCS5Padding just like other paddings when CTR, CTS, and GCM modes are requested for a Cipher instance. Depending on the call sequence and call path, NoSuchAlgorithmException or NoSuchPaddingException will be thrown.

No public javadoc changes. The provider fix and other relevant changes can be found at: http://cr.openjdk.java.net/~valeriep/8180392/webrev.00/ for reference.

Retroactively moving to Approved.