[9] RFR 8161571: Verifying ECDSA signatures permits trailing bytes
Xuelei Fan
xuelei.fan at oracle.com
Thu Jul 21 22:58:58 UTC 2016
Looks fine to me. Thanks!
Xuelei
On 7/22/2016 6:08 AM, Vincent Ryan wrote:
> Thanks for the review.
>
> The PKCS11 implementation is a little peculiar in that it is configured out-of-the-box only for Solaris
> and that implementation doesn’t support DSA. So I’ve added only the first of your additional lines below.
>
> (NOTE the update to the Ucrypto provider)
>
> Updated webrev at:
> http://cr.openjdk.java.net/~vinnie/8161571/webrev.01/
>
>
>
>
>> On 21 Jul 2016, at 15:46, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>
>> Looks fine to me.
>>
>> Just two minor comments. The run tag in the test may be not necessary.
>> Like EC algorithm, maybe the PKCS11 implementation of RSA and DSA
>> algorithms can also be checked on some platform if not using provider
>> option.
>>
>> + main0("RSA", 2048, "SHA256withRSA", null);
>> + main0("DSA", 2048, "SHA256withDSA", null);
>>
>> Xuelei
>>
>> On 7/20/2016 3:10 AM, Vincent Ryan wrote:
>>> Please review this fix to apply stricter length checks when verifying public key signatures.
>>> Thanks.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8161571
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8161571/webrev.00/
>>>
>>
>
More information about the security-dev
mailing list