Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Fri Nov 22 19:54:03 UTC 2013
Even if Solaris PKCS11 provider starts to support 2048-bit DSA keys, its
SHA1withDSA signature impl should still only accept up-to-1024-bit DSA
keys. The longer DSA keys need newer signature impls using SHA2-family
digests.
So, the regression test should still be valid.
Thanks,
Valerie
On 11/22/13 07:40, Sean Mullan wrote:
> The fix looks good. One comment on the test - it looks like the test
> would start failing if Solaris PKCS11 started to support 2048 bit DSA
> keys. Is there a way to workaround that by checking the max key length
> supported by the library?
>
> --Sean
>
> On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote:
>>
>> Can someone please help review my fixes for 7200306: SunPKCS11 provider
>> delays the check of DSA key size for SHA1withDSA to sign() instead of
>> init()?
>>
>> Native PKCS11 libraries don't seem to check the key during the
>> initialization calls (triggered by initSign()/initVerify()).
>> Rather, it errors out during the subsequent update() calls. So, I added
>> necessary key length checks.
>>
>> Webrev:
>> http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/
>>
>> Thanks,
>> Valerie
>
More information about the security-dev
mailing list