Details
-
Bug
-
Resolution: Done
-
Major
-
1.1.0.Beta24
-
None
-
None
Description
Coverity static analysis found possible use of null object comming from RawPBEKey.getSalt() passed into javax.crypto.spec.PBEParameterSpec.PBEParameterSpec
javax.crypto.spec.PBEParameterSpec.java
public PBEParameterSpec(byte[] salt, int iterationCount) { this.salt = salt.clone(); this.iterationCount = iterationCount; }
Responsible elytron code:
KeyUtils.java
if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) { final PBEKey pbeKey = (PBEKey) key; // TODO: we miss the IV here return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount())); }
Attachments
Issue Links
- clones
-
JBEAP-8497 Coverity static analysis: Dereference null return value in KeyUtil (Elytron)
- Verified