RFR[11] JDK-8206171: Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized
Valerie Peng
valerie.peng at oracle.com
Fri Jul 13 02:01:41 UTC 2018
Hi Max,
The javadoc is for Signature.getParameters(), so null can be returned
for signature algorithms which do not use parameters, e.g.
SHA256withDSA. As Signature class covers all signature algorithms, I am
not sure about mentioning specific algorithm names as it may be lengthy
and even misleading unless we list out all applicable algorithms.
The part of "default and randomly generated" is inherited from existing
javadoc. I think "default" in the aforementioned sentence means
"hardcoded values". For example, something like salt length will likely
have a fixed default value. Since we have no control over 3rd party
providers, I think we may have to keep this for backward compatibility
reason. For RSASSA-PSS sig algorithm, it errors out if the required
parameter is not given. Thus, I added the sentence "If there are no
provider-specific default values, the underlying signature
implementation may also fail".
As for @throws, I debated about it. The main reason for not adding one
is consistency. Many (or should I say most) security classes do not have
@throws for ProviderException. If we were to add @throws
ProviderException here, we should do it across the board. Besides, it is
recommended to NOT document runtime exceptions which callers are not
prepared to handle.
Thanks,
Valerie
On 7/10/2018 7:16 PM, Weijun Wang wrote:
> Hi Valerie
>
> About "it *may* return", do you mean it could also return null? My understanding is no.
>
> Is it better to clarify when the implementation "may also fail"? From the CSR, it's this method. Can you add a @throws spec to this method then?
>
> Also, I am a little confused by "default and randomly generated". Does this actually mean "default (might be randomly generated)"? The "it may" sentence mentions "default and randomly generated" but the "if there" only says "default", which sounds like the the "randomly generated" case could be different.
>
> Thanks
> Max
>
>
>> On Jul 11, 2018, at 5:12 AM, Valerie Peng <valerie.peng at oracle.com> wrote:
>>
>> Hi Brad,
>>
>> Would you have time to review the fix for JDK-8206171: Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized?
>> No source code changes, but just updating javadoc to mention the possible failure case.
>> Otherwise, JCK team expects a parameter object or null being returned.
>> I filed a CSR to track the javadoc clarification.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8206171
>> Webrev: http://cr.openjdk.java.net/~valeriep/8206171/webrev.00/
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8206864
>>
>> Thanks,
>> Valerie
>>
>>
>>
More information about the security-dev
mailing list