RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec

Bernd Eckenfels ecki at zusammenkunft.net
Wed Dec 14 09:19:19 UTC 2016 

Hello,
I noticed in the existing code: Is the comment "256 bits" referring to the 'comparable strength'?
# if (bitLength > 7680) { // 256 bits
If so, it seems misleading, according to table 2 this would be 192 bit. Maybe this can be corrected, removed or the meaning of the comment clarified.

Gruss
Bernd
-- 
http://bernd.eckenfels.net

		_____________________________
From: Wang Weijun <weijun.wang at oracle.com>
Sent: Mittwoch, Dezember 14, 2016 4:39 AM
Subject: RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec
To:  <security-dev at openjdk.java.net>


NIST 800-57 Part 1 has a new revision. The lines below are newly introduced in jdk9.

diff --git a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java
--- a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java
+++ b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java
@@ -1024,7 +1024,7 @@
         }
     }

-    // Values from SP800-57 part 1 rev 3 tables 2 and three
+    // Values from SP800-57 part 1 rev 4 tables 2 and 3
     private static String ecStrength (int bitLength) {
         if (bitLength >= 512) { // 256 bits of strength
             return "SHA512";
@@ -1035,7 +1035,7 @@
         }
     }

-    // same values for RSA and DSA
+    // Same values for RSA and DSA
     private static String ifcFfcStrength (int bitLength) {
         if (bitLength > 7680) { // 256 bits
             return "SHA512";
diff --git a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
--- a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
+++ b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
@@ -430,7 +430,7 @@
          * SHA384withECDSA for a 384-bit EC key.
          *
          * @implNote This implementation makes use of comparable strengths
-         * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.3.
+         * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.4.
          * Specifically, if a DSA or RSA key with a key size greater than 7680
          * bits, or an EC key with a key size greater than or equal to 512 bits,
          * SHA-512 will be used as the hash function for the signature.

Thanks
Max




	
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20161214/3862e13d/attachment.htm>

More information about the security-dev mailing list