Code Review Request 8139565 Restrict certificates with DSA keys less than 1024 bits

Sean Mullan sean.mullan at oracle.com
Wed Feb 17 22:09:29 UTC 2016


Looks fine.

--Sean

On 02/17/2016 10:24 AM, Xuelei Fan wrote:
> Hi Sean,
>
> Thanks for the review.  I find a new bug in KeyUtil.java, plan to fix in
> the same update.  Please review the KeyUtil update:
>
>     http://cr.openjdk.java.net/~xuelei/8139565/webrev.02/
>
> The DSA parameter may not present in a X.509 certificate. The return
> value of DSAKey.getParams() may be null. This special case now is
> considered in the KeyUtil implementation.
>
> Thanks,
> Xuelei
>
> On 2/17/2016 4:22 AM, Sean Mullan wrote:
>> Looks good.
>>
>> --Sean
>>
>> On 02/16/2016 12:16 AM, Xuelei Fan wrote:
>>> Added a new regression test:
>>>
>>>      http://cr.openjdk.java.net/~xuelei/8139565/webrev.01/
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 2/15/2016 8:23 AM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Please review this security crypto constraints update:
>>>>
>>>>      http://cr.openjdk.java.net/~xuelei/8139565/webrev.00/
>>>>
>>>> This fix updates the java security property,
>>>> "jdk.certpath.disabledAlgorithms", to restrict the use of certificates
>>>> with DSA keys less than 1024 bits in certification path processing.
>>>> Applications can update this restriction in the security property
>>>> ("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if
>>>> really needed (for example, "DSA keySize < 768").
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>
>


More information about the security-dev mailing list