Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
Sean Mullan
sean.mullan at oracle.com
Fri Nov 22 20:20:07 UTC 2013
On 11/22/2013 02:54 PM, Valerie (Yu-Ching) Peng wrote:
>
> Even if Solaris PKCS11 provider starts to support 2048-bit DSA keys, its
> SHA1withDSA signature impl should still only accept up-to-1024-bit DSA
> keys. The longer DSA keys need newer signature impls using SHA2-family
> digests.
> So, the regression test should still be valid.
Ok, sounds good.
--Sean
> Thanks,
> Valerie
>
> On 11/22/13 07:40, Sean Mullan wrote:
>> The fix looks good. One comment on the test - it looks like the test
>> would start failing if Solaris PKCS11 started to support 2048 bit DSA
>> keys. Is there a way to workaround that by checking the max key length
>> supported by the library?
>>
>> --Sean
>>
>> On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote:
>>>
>>> Can someone please help review my fixes for 7200306: SunPKCS11 provider
>>> delays the check of DSA key size for SHA1withDSA to sign() instead of
>>> init()?
>>>
>>> Native PKCS11 libraries don't seem to check the key during the
>>> initialization calls (triggered by initSign()/initVerify()).
>>> Rather, it errors out during the subsequent update() calls. So, I added
>>> necessary key length checks.
>>>
>>> Webrev:
>>> http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/
>>>
>>> Thanks,
>>> Valerie
>>
>
More information about the security-dev
mailing list