Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Fri Nov 22 20:36:30 UTC 2013
Thanks for the prompt review~
Valerie
On 11/22/13 12:20, Sean Mullan wrote:
> On 11/22/2013 02:54 PM, Valerie (Yu-Ching) Peng wrote:
>>
>> Even if Solaris PKCS11 provider starts to support 2048-bit DSA keys, its
>> SHA1withDSA signature impl should still only accept up-to-1024-bit DSA
>> keys. The longer DSA keys need newer signature impls using SHA2-family
>> digests.
>> So, the regression test should still be valid.
>
> Ok, sounds good.
>
> --Sean
>
>> Thanks,
>> Valerie
>>
>> On 11/22/13 07:40, Sean Mullan wrote:
>>> The fix looks good. One comment on the test - it looks like the test
>>> would start failing if Solaris PKCS11 started to support 2048 bit DSA
>>> keys. Is there a way to workaround that by checking the max key length
>>> supported by the library?
>>>
>>> --Sean
>>>
>>> On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote:
>>>>
>>>> Can someone please help review my fixes for 7200306: SunPKCS11
>>>> provider
>>>> delays the check of DSA key size for SHA1withDSA to sign() instead of
>>>> init()?
>>>>
>>>> Native PKCS11 libraries don't seem to check the key during the
>>>> initialization calls (triggered by initSign()/initVerify()).
>>>> Rather, it errors out during the subsequent update() calls. So, I
>>>> added
>>>> necessary key length checks.
>>>>
>>>> Webrev:
>>>> http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/
>>>>
>>>> Thanks,
>>>> Valerie
>>>
>>
>
More information about the security-dev
mailing list