[12] RFR 8215694: keytool cannot generate RSASSA-PSS certificates
Xue-Lei Fan
xuelei.fan at oracle.com
Thu Jan 3 15:27:23 UTC 2019
On 1/3/2019 2:10 AM, Weijun Wang wrote:
>
>
>> On Jan 2, 2019, at 11:56 PM, Xue-Lei Fan <xuelei.fan at oracle.com> wrote:
>>
>> sigAlg.equalsIgnoreCase("RSASSA-PSS"):
>> Do you really want to ignore the case? I used to think that an algorithm name is case sensitive.
>
> getInstance(alg) is always case-insensitive.
>
Hm, I missed it.
>>
>> Main.java:1445 minor, 4 more indent?
>
> Then it's longer than 80 chars. How about I un-indent lines 1443 and 1444?
>
maybe, use 4 white spaces? See also the following comment.
>>
>> AlgorithmId.java:1073-1091:
>> I may prefer to use cached parameters (for both AlgorithmParameters and AlgorithmParameterSpec) for each size, for performance.
>
> OK for AlgorithmParameterSpec. Which AlgorithmParameters do you mean? The one in SignatureUtil?
>
Yes, replacing SignatureUtil.createAlgorithmParameters(). Then we don't
need to worry about the indents above.
Thanks,
Xuelei
> Thanks,
> Max
>
>
>>
>>
>> Xuelei
>>
>>
>> On 12/21/2018 1:44 AM, Weijun Wang wrote:
>>> Please take a review at
>>> https://cr.openjdk.java.net/~weijun/8215694/webrev.00/
>>> This bug reveals several issues:
>>> 1. Encoding of the RSASSA-PSS signature algorithm in PKCS10 and X509CertImpl.
>>> 2. The missing of setParameter() call for PKCS10 and X509CertImpl.
>>> 3. All keytool commands of -genkeypair, -certreq, -gencert, -selfcert are affected.
>>> 4. Wrong NULL after encoding of RSASSA-PSS key algorithm.
>>> Please confirm this is safe to be fixed in JDK 12.
>>> Thanks,
>>> Max
>
More information about the security-dev
mailing list