Closed loentar closed 7 years ago
Thank you for your report, it was an excellent one with a test sample that helps me to understand the point, and I need to ask sorry for the long time to answer too.
About the problem, I think it is more a misunderstanding caused by the method name than a bug, the method decrypt
can throw 8 different exceptions, so I designed another method decryptOrNull
that just do a try-catch and returns null if some error occurs to be verified with a null check.
You are right, in the case of wrong padding blocks, we receive a BadPaddingException
so it is the reason that decryptOrNull
returns null because it catches the exception and returns null. But in the case of wrong passwords, as far as I know, there is no way to verify if it is correct or no. So the library just returns a wrong unencrypted text.
Thank you again, I'm closing the issue once it is not a bug. If you or someone know a way to test the password and I'm not sure if it is secury, we can reopen this issue and think in a solution.
I expect to get
null
any time when decryption failed while usingdecryptOrNull
, but sometimes it returns junk when decrypting with invalid key.Here is a test:
This test fails on
assertNull
with message:java.lang.AssertionError: expected null, but was:<�f ���S��!Q��>
I suspect the padding block is OK in this case and library threats this situation as successful decryption.