On my Mac, running the Oracle JRE, when I call javax.crypto.Mac.init() with a 5 character password I get no complaints. With classpath on my embedded device it throws a java.security.InvalidKeyException: Key too short. I'm including the sample code along with output below. ==Oracle JRE== $ java KeySample Done $ java -version java version "1.6.0_33" Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720) Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode) $ ==classpath== # jamvm KeySample Exception in thread "main" java.security.InvalidKeyException: Key too short at gnu.javax.crypto.mac.HMac.init(HMac.java:148) at gnu.javax.crypto.jce.mac.MacAdapter.engineInit(MacAdapter.java:119) at javax.crypto.Mac.init(Mac.java:349) at javax.crypto.Mac.init(Mac.java:328) at KeySample.<init>(KeySample.java:14) at KeySample.main(KeySample.java:8) # jamvm -version java version "1.5.0" JamVM version 1.5.4 Copyright (C) 2003-2010 Robert Lougher <rob@jamvm.org.uk> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Build information: Execution Engine: direct-threaded interpreter with stack-caching Compiled with: gcc 4.4.6 Boot Library Path: /usr/lib/classpath Boot Class Path: /usr/share/jamvm/classes.zip:/usr/share/classpath/glibj.zip #
Created attachment 27849 [details] KeySample.java
Created attachment 27850 [details] classpath-0.98-KeyTooShort.patch
I attached a patch that fixes the problem for me.
Commenting the code out isn't a solution. If you set the attribute gnu.crypto.hmac.pkcs5 to true, the test will be skipped as you wish.
The code calling Mac is part of a third party library. How do I set the attribute you described?
Why does (In reply to Andrew John Hughes from comment #4) > Commenting the code out isn't a solution. > > If you set the attribute gnu.crypto.hmac.pkcs5 to true, the test will be > skipped as you wish. Why does gnu.crypto.mac.HMac try to enforce that the key size is >= the output block size of the underlying algorithm? In general there is no such requirement for HMAC algorithms and while this test may make sense in some cases, in others obviously it does not. I think that this test should be removed.