Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-227

CryptoBase.getPrivateKey() unable to handle empty (null) passwords

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9, 1.6
    • Component/s: None
    • Labels:
      None
    • Environment:
      java version "1.6.0_17"
      Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
      Java HotSpot(TM) Client VM (build 14.3-b01, mixed mode, sharing)

      Description

      While working with SoapUI 3.5 I came across a possible bug where CryptoBase.getPrivateKey() is unable to return a private key when the keystore is not protected by a password.

      CryptoBase.java:261
      Key keyTmp = keystore.getKey(alias, password.toCharArray());

      proposed fix:

      Key keyTmp = keystore.getKey(alias, password == null ? new char[]{} : password.toCharArray());

      I do also realize that one could argue the issue to be SoapUI's fault, fix on that side would be to pass an empty string to the corresponding methods instead of the null value. In my opinion fixing it in the wss4j core seems to be more appropriate.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              pulsar256 Paul Rogalinski
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 5m
                5m
                Remaining:
                Remaining Estimate - 5m
                5m
                Logged:
                Time Spent - Not Specified
                Not Specified