[GitHub] [tomcat] xiezhaokun commented on a change in pull request #462: Add support for password-based encryption scheme 2 params (PBES2)

Mon, 27 Dec 2021 19:40:41 -0800 


xiezhaokun commented on a change in pull request #462:
URL: https://github.com/apache/tomcat/pull/462#discussion_r775711336



##########
File path: java/org/apache/tomcat/util/net/jsse/PEMFile.java
##########
@@ -210,6 +214,14 @@ public PrivateKey toPrivateKey(String password, String 
keyAlgorithm, Format form
             throw exception;
         }
 
+        private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo) 
{
+            AlgorithmParameters parameters = privateKeyInfo.getAlgParameters();
+            if(parameters != null && 
OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) {
+                return parameters.toString();

Review comment:
       If use PBES2 , the parameters is  PBES2Parameters and engineToString 
return pbes2AlgorithmName .
   
   ```
   
    @SuppressWarnings("deprecation")
       protected void engineInit(byte[] encoded)
           throws IOException
       {
           String kdfAlgo = null;
           String cipherAlgo = null;
   
           DerValue pBES2_params = new DerValue(encoded);
           if (pBES2_params.tag != DerValue.tag_Sequence) {
               throw new IOException("PBE parameter parsing error: "
                   + "not an ASN.1 SEQUENCE tag");
           }
           DerValue kdf = pBES2_params.data.getDerValue();
   
           // Before JDK-8202837, PBES2-params was mistakenly encoded like
           // an AlgorithmId which is a sequence of its own OID and the real
           // PBES2-params. If the first DerValue is an OID instead of a
           // PBES2-KDFs (which should be a SEQUENCE), we are likely to be
           // dealing with this buggy encoding. Skip the OID and treat the
           // next DerValue as the real PBES2-params.
           if (kdf.getTag() == DerValue.tag_ObjectId) {
               pBES2_params = pBES2_params.data.getDerValue();
               kdf = pBES2_params.data.getDerValue();
           }
   
           kdfAlgo = parseKDF(kdf);
   
           if (pBES2_params.tag != DerValue.tag_Sequence) {
               throw new IOException("PBE parameter parsing error: "
                   + "not an ASN.1 SEQUENCE tag");
           }
           cipherAlgo = parseES(pBES2_params.data.getDerValue());
   
           pbes2AlgorithmName = new StringBuilder().append("PBEWith")
               .append(kdfAlgo).append("And").append(cipherAlgo).toString();
       }
   
       /*
        * Returns a formatted string describing the parameters.
        *
        * The algorithn name pattern is: "PBEWith<prf>And<encryption>"
        * where <prf> is one of: HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384,
        * or HmacSHA512, and <encryption> is AES with a keysize suffix.
        */
       protected String engineToString() {
           return pbes2AlgorithmName;
       }
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to