Code Review Request, 8154344 sun/security/pkcs11/KeyAgreement/SupportedDHKeys.java fails on solaris

Michael StJohns mstjohns at comcast.net
Fri May 6 17:17:14 UTC 2016


On 5/6/2016 10:40 AM, Xuelei Fan wrote:
> Hi,
>
> Please review this simple test failure fix:
>
>      http://cr.openjdk.java.net/~xuelei/8154344/webrev.00/
>
> The underlying crypto lib may generate DH private keys out of the normal
> expected range.  This fix removes the range checking for DH private keys.
>
> Thanks,
> Xuelei

I'm confused about this.  I read the code and reviewed NIST SP800-56A 
Rev 1, section 5.6.2.4 and the check you're commenting out is the 
correct check for validity.  If the provider is failing this check, 
shouldn't the provider be fixed?

I.e. the test is failing as expected.

If you still want to open up this code, then I'd probably add the second 
test for the public key:

if (y.modPow(q,p).compareTo(BigInteger.ONE) != 0)
     throw new Exception (...);

I'd probably also compare the params in both public and private keys for 
equality at the beginning of the checkKeyPair test and then dump the 
second check for p.bitSize().






More information about the security-dev mailing list