RFR 8138653: Default key sizes for the AlgorithmParameterGenerator and KeyPairGenerator implementations should be upgraded

[Sean Mullan]

On 02/24/2016 11:58 AM, Seán Coffey wrote:
> I think you might have forgotten the PKCS11 implementation Sean.
> e.g.
> src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java

Good catch, although I think we should only increase the size for RSA 
key pairs, since we don't yet support the SHA-2 DSA signature algorithms 
for pkcs11, and it will throw an exception if keys larger than 1024 bits 
are used to sign or verify data.

Valerie or Vinnie, do you know why we don't yet have support for SHA-2 
withDSA signature algorithms in our PKCS11 provider? I don't see a bug 
filed for it.

> On a side note, I notice a discrepancy in the KeyPairGenerator javadoc.
> It's more of an implNote issue :
>
>> If the algorithm is the/DSA/algorithm, and the keysize (modulus size)
>> is 512, 768, or 1024, then the/Sun/provider uses a set of precomputed
>> values for the|p|,|q|, and|g|parameters.
>
> I think we also cache 2048 bit values. Maybe you can modify.

This is true -- I will add 2048 to the above sentence.

--Sean

>
> Regards,
> Sean.
>
> On 24/02/16 14:54, Sean Mullan wrote:
>> Please review this fix to improve security defaults by increasing the
>> default keysize of the RSA, DSA, and DiffieHellman implementations of
>> AlgorithmParameterGenerator and KeyPairGenerator from 1024 to 2048 bits:
>>
>> http://cr.openjdk.java.net/~mullan/webrevs/8138653/webrev.00/
>>
>> Thanks,
>> Sean
>>
>