On my Mac, running the Oracle JRE, when I call javax.crypto.Mac.init() with a 5 character password I get no complaints. With classpath on my embedded device it throws a java.security.InvalidKeyException: Key too short.
I'm including the sample code along with output below.
$ java KeySample
$ java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)
# jamvm KeySample
Exception in thread "main" java.security.InvalidKeyException: Key too short
# jamvm -version
java version "1.5.0"
JamVM version 1.5.4
Copyright (C) 2003-2010 Robert Lougher <email@example.com>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2,
or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
Execution Engine: direct-threaded interpreter with stack-caching
Compiled with: gcc 4.4.6
Boot Library Path: /usr/lib/classpath
Boot Class Path: /usr/share/jamvm/classes.zip:/usr/share/classpath/glibj.zip
Created attachment 27849 [details]
Created attachment 27850 [details]
I attached a patch that fixes the problem for me.
Commenting the code out isn't a solution.
If you set the attribute gnu.crypto.hmac.pkcs5 to true, the test will be skipped as you wish.
The code calling Mac is part of a third party library. How do I set the attribute you described?
Why does (In reply to Andrew John Hughes from comment #4)
> Commenting the code out isn't a solution.
> If you set the attribute gnu.crypto.hmac.pkcs5 to true, the test will be
> skipped as you wish.
Why does gnu.crypto.mac.HMac try to enforce that the key size is >= the output block size of the underlying algorithm? In general there is no such requirement for HMAC algorithms and while this test may make sense in some cases, in others obviously it does not.
I think that this test should be removed.