-
Bug
-
Resolution: Done
-
Major
-
7.1.0.DR11
Coverity static analysis found possible use of null object comming from RawPBEKey.getSalt() passed into javax.crypto.spec.PBEParameterSpec.PBEParameterSpec
javax.crypto.spec.PBEParameterSpec.java
public PBEParameterSpec(byte[] salt, int iterationCount) { this.salt = salt.clone(); this.iterationCount = iterationCount; }
Responsible elytron code:
KeyUtils.java
if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) { final PBEKey pbeKey = (PBEKey) key; // TODO: we miss the IV here return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount())); }
- is cloned by
-
ELY-958 Coverity static analysis: Dereference null return value in KeyUtil (Elytron)
- Resolved