Code review request, 7106773: 512 bits RSA key cannot work withSHA384 and SHA512

Weijun Wang at
Wed Jan 11 02:42:52 PST 2012

On 01/11/2012 06:02 PM, Xuelei Fan wrote:
> On 1/11/2012 5:50 PM, Weijun Wang wrote:
>> Hi Andrew
>> Take a brief look at the webrev. Looks like this Lengthable thing is the
>> only change after your previous webrev. Please confirm.
> Yes.
>> But I want something bigger. I would like to know if it is possible to
>> add this keysize() method deep down into the very basic Key interface.
>> If Key can have a method called getEncoded() I think this means it
>> normally has a concrete form and surely has a publicly acceptable
>> keysize() attribute. In JDK 8 we have default implementation for new
>> interface methods. Is this issue a good candidate?
> As Key is an java interface, we may not be able to add one more method
> for compatibility reason. We may export the "Lengthable"/"Measurable"
> interface in JDK 8. It's possible to implement Lengthable in all
> sub-classes of Key in Oracle provider, but as would involve too many
> changes. As we need to backport this fix into JDK 7, I think we'd better
> consider the big picture in the future.

Then I think the previous webrev is enough for JDK 7, and for JDK 8, we
simply add a new keysize() method to Key.


>> At least, in KeyLength::getKeySize(), I would like to see "if (key
>> instanceof Lengthable)" to be the first check, and, if possible, the
>> only one needed, at least for keys from providers built in JDK.
> It's OK to check it at first. But as we also need to support other
> providers, I think we'd better also check other types of instance.
> Thanks,
> Xuelei
>> Thanks
>> Max
>> On 01/11/2012 08:57 AM, Xuelei Fan wrote:
>>> "Measurable" looks like a better name. I will update the name in the
>>> next webrev after this round of code review:
>>> webrev:
>>> Thanks,
>>> Xuelei
>>> On 1/10/2012 11:47 PM, Vincent Ryan wrote:
>>>> On 01/10/12 03:19 PM, Xuelei Fan wrote:
>>>>> On 1/10/2012 11:09 PM, Weijun Wang wrote:
>>>>>> It's late night and I'll read it tomorrow. But can you choose another
>>>>>> word instead of Lengthable? Length is not a verb.
>>>>> ;-) The name took me a lot of time, searching by google, dictionary, and
>>>>> any possible English translation. I have to agree that I failed to find
>>>>> a suitable name. I tried hardly to persuade myself that "lengthable" is
>>>>> also used by someother application code, so it might not too bad to use
>>>>> it here.
>>>>> With the word "lengthable", I want to express that the length is
>>>>> measurable. Any suggestion for the better one?
>>>> Measurable ;-)
>>>>> Thanks,
>>>>> Xuelei
>>>>>> Max
>>>>>> ------------------------------------------------------------------------
>>>>>> ·¢¼þÈË: Xuelei Fan
>>>>>> ·¢ËÍʱ¼ä: 2012/1/10 22:51
>>>>>> ÊÕ¼þÈË: Weijun Wang
>>>>>> ³­ËÍ: OpenJDK
>>>>>> Ö÷Ìâ: Re: Code review request, 7106773: 512 bits RSA key cannot work
>>>>>> withSHA384 and SHA512
>>>>>> It has been around 50 days passed since the last day we talked about the
>>>>>> issue. Hope you can recall it from the deep memory. ;-)
>>>>>> webrev:
>>>>>> In this update, as we agreed, a new Oracle private interface was
>>>>>> introduced:, and Lengthable.length() is
>>>>>> defined to get the length an object. and
>>>>>> will implements the interface. As will easy and
>>>>>> speedup (comparing with reflection approach) the getting of key length
>>>>>> of those unextractable keys in hardware device.
>>>>>> In the webrev, I should also include another two signed jars,
>>>>>> sunpkcs11.jar and sunmscapi.jar. I will include them when I get the
>>>>>> official signed jars.
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>> On 11/22/2011 8:41 AM, Weijun Wang wrote:
>>>>>>> I really like this one.
>>>>>>> Thanks
>>>>>>> Max
>>>>>>> On 11/21/2011 08:05 PM, Xuelei Fan wrote:
>>>>>>>>>>    How about this approach? This looks very safe.
>>>>>>>> I also prefer this approach, although it need more updates in PKCS11 and
>>>>>>>> MSCPI source code. If you vote for this approach, I will try to
>>>>>>>> implement it.

More information about the security-dev mailing list