Code Review Request, 8154344 sun/security/pkcs11/KeyAgreement/SupportedDHKeys.java fails on solaris

Xuelei Fan xuelei.fan at oracle.com
Fri May 6 23:19:01 UTC 2016


On 5/7/2016 1:17 AM, Michael StJohns wrote:
> On 5/6/2016 10:40 AM, Xuelei Fan wrote:
>> Hi,
>>
>> Please review this simple test failure fix:
>>
>>      http://cr.openjdk.java.net/~xuelei/8154344/webrev.00/
>>
>> The underlying crypto lib may generate DH private keys out of the normal
>> expected range.  This fix removes the range checking for DH private keys.
>>
>> Thanks,
>> Xuelei
> 
> I'm confused about this.  I read the code and reviewed NIST SP800-56A
> Rev 1, section 5.6.2.4 and the check you're commenting out is the
> correct check for validity.  If the provider is failing this check,
> shouldn't the provider be fixed?
> 
Yes.  This is might be a platform crypto lib issue.  I want to bring
back the testing at first, and open the test again after the issue get
fixed.

> I.e. the test is failing as expected.
> 
> If you still want to open up this code, then I'd probably add the second
> test for the public key:
> 
> if (y.modPow(q,p).compareTo(BigInteger.ONE) != 0)
>     throw new Exception (...);
> 
> I'd probably also compare the params in both public and private keys for
> equality at the beginning of the checkKeyPair test and then dump the
> second check for p.bitSize().
> 
Hm, good suggestions!  I will make the update if the test opens later.

Thanks,
Xuelei



More information about the security-dev mailing list