Code Review Request 8139565 Restrict certificates with DSA keys less than 1024 bits
Sean Mullan
sean.mullan at oracle.com
Wed Feb 17 22:09:29 UTC 2016
Looks fine.
--Sean
On 02/17/2016 10:24 AM, Xuelei Fan wrote:
> Hi Sean,
>
> Thanks for the review. I find a new bug in KeyUtil.java, plan to fix in
> the same update. Please review the KeyUtil update:
>
> http://cr.openjdk.java.net/~xuelei/8139565/webrev.02/
>
> The DSA parameter may not present in a X.509 certificate. The return
> value of DSAKey.getParams() may be null. This special case now is
> considered in the KeyUtil implementation.
>
> Thanks,
> Xuelei
>
> On 2/17/2016 4:22 AM, Sean Mullan wrote:
>> Looks good.
>>
>> --Sean
>>
>> On 02/16/2016 12:16 AM, Xuelei Fan wrote:
>>> Added a new regression test:
>>>
>>> http://cr.openjdk.java.net/~xuelei/8139565/webrev.01/
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 2/15/2016 8:23 AM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Please review this security crypto constraints update:
>>>>
>>>> http://cr.openjdk.java.net/~xuelei/8139565/webrev.00/
>>>>
>>>> This fix updates the java security property,
>>>> "jdk.certpath.disabledAlgorithms", to restrict the use of certificates
>>>> with DSA keys less than 1024 bits in certification path processing.
>>>> Applications can update this restriction in the security property
>>>> ("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if
>>>> really needed (for example, "DSA keySize < 768").
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>
>
More information about the security-dev
mailing list