Code Review Request, 8154344 sun/security/pkcs11/KeyAgreement/SupportedDHKeys.java fails on solaris
Xuelei Fan
xuelei.fan at oracle.com
Fri May 6 23:19:01 UTC 2016
On 5/7/2016 1:17 AM, Michael StJohns wrote:
> On 5/6/2016 10:40 AM, Xuelei Fan wrote:
>> Hi,
>>
>> Please review this simple test failure fix:
>>
>> http://cr.openjdk.java.net/~xuelei/8154344/webrev.00/
>>
>> The underlying crypto lib may generate DH private keys out of the normal
>> expected range. This fix removes the range checking for DH private keys.
>>
>> Thanks,
>> Xuelei
>
> I'm confused about this. I read the code and reviewed NIST SP800-56A
> Rev 1, section 5.6.2.4 and the check you're commenting out is the
> correct check for validity. If the provider is failing this check,
> shouldn't the provider be fixed?
>
Yes. This is might be a platform crypto lib issue. I want to bring
back the testing at first, and open the test again after the issue get
fixed.
> I.e. the test is failing as expected.
>
> If you still want to open up this code, then I'd probably add the second
> test for the public key:
>
> if (y.modPow(q,p).compareTo(BigInteger.ONE) != 0)
> throw new Exception (...);
>
> I'd probably also compare the params in both public and private keys for
> equality at the beginning of the checkKeyPair test and then dump the
> second check for p.bitSize().
>
Hm, good suggestions! I will make the update if the test opens later.
Thanks,
Xuelei
More information about the security-dev
mailing list