Java Security, 2nd Edition
By Scott Oaks


The unconfirmed error reports are from readers.  They have not yet been 
approved or disproved by the author or editor and represent solely the
opinion of the reader.

Here's a key to the markup:
        [page-number]: serious technical mistake
        {page-number}: minor technical mistake
        <page-number>: important language/formatting problem
        (page-number): language change or minor formatting problem
        ?page-number?: reader question or request for clarification

This page was updated January 09, 2003. 


UNCONFIRMED  errors and comments from readers: 

(i)  Cover;
Ok, this is really picky, but I'm fairly sure that 'JSEE' doesn't exist. If I am assuming correctly, the banner on the corner should read 'Covers JAAS and JSSE'. Great book though!


{34}  2nd paragraph;
... and all code is allowed to read the java.vendor system property.
should read:
... and all code is allowed to read the java.version system property.


{93}  description of the method: public abstract boolean implies(Permission p);
Checks to see if any permission in the collection implies the given permission.

should read

Checks to see if all permissions together in the collection implies the given permission.


(108)  3rd paragraph;
The first sentence begins:

So protection domain can grant...

This should read:

So a protection domain can grant...


[114]  last paragraph;
Let's assume that no class loader based package separation exists
-> 'no' should be omitted.


{176}  Code sample at bottom;
The first line of generateKeyPair() is:

  int rotValue = random.nextInt() % 25;

This gives us a value between 0 and 24 inclusive. For a rotation cipher, a value of 0
would have no effect. We really want a value between 1 and 25 inclusive. Therefore,
the first line of generateKeyPair() should be:

  int rotValue = (random.nextInt() % 25) + 1;


[176]  code at the top of the page.;
The getEncoded method appears to be transferring the rotValue field into an array of
four bytes.  If that is the intended operation, then the rotValue field should be
shifted to the right, but instead it has been shifted to the left.  Consequently, the
last three bytes of the array will always contain zero regardless of the contents of
the rotValue field. A similar error appears at the bottom of page 179.

The code bug is shown below.

public byte[] getEncoded() {
  byte b[] = new byte[4];
  b[3] = (byte) ((rotValue << 24) & 0xff);
  b[2] = (byte) ((rotValue << 16) & 0xff);
  b[1] = (byte) ((rotValue << 8) & 0xff);
  b[0] = (byte) ((rotValue << 0) & 0xff);
  return b;
}

Any value that is shifted to the left 24 bits and anded with 0xff will be zero.  The
solution is to shift to the right.


{179}  Code sample at bottom;
The XORKey class has a data member:

  int rotValue;

The same name is used in the XYZKey class on p. 175. As XORKey does not represent a
"key" for a rotation cipher, it would be clearer to use a different name for this
value, to differentiate it from the previous example. Perhaps a name like "xorValue"
would be clearer.


{180}  Code sample;
The method engineGenerateKey() calls the XORKey constructor with a byte argument,
rather than an int. While this would work, it uses only a fraction of the available
keyspace. The last three lines of engineGenerateKey() could be replaced with:

  int n = sr.nextInt();
  return new XORKey(n);


[193]  4th para;
If the certificate is invalid, this method throws a SignatureException (and not a
CertificateException).


(209)  2nd paragraph;
The first sentence of the paragraph reads:

Note that these CAs are the all from the same company.

The first instance of "the" in the sentence should be removed.


{210}  2nd definition and 4th definition;
The definitions of "-keypass password" (2nd definition) and "-storepass password"
(4th definition) appear to be switched.  Based on what I read later in the chapter,
it looks like -keypass is to specify the password for the particular entry's private
key (particular alias) and -storepass is to specify the password for the entire
(global) keystore.

-keypass for alias
-storepass for keystore


{249}  4th paragraph;
Regarding the three overloaded doFinal() methods of the MAC class, the second
sentence states, "The last two methods allow you to specify the last data to include
in the MAC." Only the second method allows this; the third does not.


[326]  last line in the code SSLClientVerifier;
X500Name class  is a part of

com.sun.net.ssl.internal.ssl.* package

in import statement is missing for SSLClientVerifier.
Should be added:

import com.sun.net.ssl.internal.ssl.*



{360}  Top of page 360.;
Near the top of page 360 the text is as follows.

On Microsoft Windows, the command looks like this:

C:\files javac -classpath ..\..\..\;actions CountFiles.java

End of Quote.

The above command line suggests that the javac command should be invoked from the
C:\files directory.  However, the command should be invoked from
C:\files\javasec\samples\ch15.