Code Review Request 8139565 Restrict certificates with DSA keys less than 1024 bits
Xuelei Fan
xuelei.fan at oracle.com
Wed Feb 17 15:24:13 UTC 2016
Hi Sean,
Thanks for the review. I find a new bug in KeyUtil.java, plan to fix in
the same update. Please review the KeyUtil update:
http://cr.openjdk.java.net/~xuelei/8139565/webrev.02/
The DSA parameter may not present in a X.509 certificate. The return
value of DSAKey.getParams() may be null. This special case now is
considered in the KeyUtil implementation.
Thanks,
Xuelei
On 2/17/2016 4:22 AM, Sean Mullan wrote:
> Looks good.
>
> --Sean
>
> On 02/16/2016 12:16 AM, Xuelei Fan wrote:
>> Added a new regression test:
>>
>> http://cr.openjdk.java.net/~xuelei/8139565/webrev.01/
>>
>> Thanks,
>> Xuelei
>>
>> On 2/15/2016 8:23 AM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Please review this security crypto constraints update:
>>>
>>> http://cr.openjdk.java.net/~xuelei/8139565/webrev.00/
>>>
>>> This fix updates the java security property,
>>> "jdk.certpath.disabledAlgorithms", to restrict the use of certificates
>>> with DSA keys less than 1024 bits in certification path processing.
>>> Applications can update this restriction in the security property
>>> ("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if
>>> really needed (for example, "DSA keySize < 768").
>>>
>>> Thanks,
>>> Xuelei
>>>
>>
More information about the security-dev
mailing list