New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null Pointer Exception for deserialized object of class ProvSecretKeySpec from the old BC-FIPS version 1.0.1 with the newer version 1.0.2.4 #1628
Comments
@yusuf4u52 Do you have an example key store (not with real keys!) you'd mind sharing? Also the full stack trace would be appreciated. Is this the BCFKS or the Java keystore (JKS)? (I'm having a hard time seeing how this would be triggered without a reproducer, in particular. |
It is Java JCEKS keystore and I am attaching the sample keystore file. What I meant to say is that the deserialization works but the ProvSecretKeySpec object I get has hasBeenDestroyed set to null and so the getEncoded or any other get method on ProvSecretKeySpec returns Null Pointer Exception. I will paste the stack trace in a bit. |
Throwable=[java.lang.NullPointerException |
Throwable=[java.lang.NullPointerException |
@yusuf4u52 Sorry, mind giving me a hint as to what the keystore/entry passwords are? :-) But I think I see the issue either way: https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java uses https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/javax/crypto/SealedObject.java (https://docs.oracle.com/javase/8/docs/api/javax/crypto/SealedObject.html), which as the docs point out:
While Is using
Notably, the 1.0.2 usage guide doesn't say the use of the JKS with secret keys is allowed... So I think using BCFKS would be most ideal. |
Okay, so the earlier keys didn't implement destroyable. I think you should be able to convert the key store to BCFKS - it will handle AES, Camellia, TripleDES, ARIA, SEED, and HMAC keys. If it's not one of those, you'll need to convert it by hand. You could use a custom version of the FIPS provider which dealt with the missing field and then reserialise it, at which point you'll find the key store should work with 1.0.2.4. |
Yes the ProvSecretKeySpec.readObject would need to set hasBeenDestroyed properly. I am thinking of going the custom version route. |
I have secretKey serialized and store in the keystore file with the older version of bc-fips jar 1.0.1.
But when a deserialized the file with the newer version of the jar 1.0.2.4 I get NullPointerException for getKey.
This is due to missing property
private final AtomicBoolean hasBeenDestroyed = new AtomicBoolean(false);
in the deserialized object.What are my migration options?
The text was updated successfully, but these errors were encountered: