[12] RFR 8215694: keytool cannot generate RSASSA-PSS certificates

Weijun Wang weijun.wang at oracle.com
Thu Jan 10 02:27:10 UTC 2019


Webrev updated again at

   https://cr.openjdk.java.net/~weijun/8215694/webrev.02

The major change this time is in PSSParameters.java. Instead of containing fields for the components of a PSSParameterSpec, it now contains the PSSParameterSpec itself directly. A new public static getEncoded() method is added so it can be called in AlgorithmId.java.

The new getEncoded() method only writes non-default values into the encoding which conforms to the DER rule. I haven't enforced the same check on the read side (i.e. reject the input if a default value is encoded) for interoperability.

Thanks,
Max

> On Jan 7, 2019, at 8:56 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
> Hi Xuelei,
> 
> Webrev updated at
> 
>   https://cr.openjdk.java.net/~weijun/8215694/webrev.01
> 
> A new method AlgorithmId::getWithParameterSpec is added. I also cached 6 constants in AlgorithmId $PSSParamsHolder, although the static block inside it to generate the AlgorithmIds are a little heavy. We can extract the encoding lines inside PSSParameters::engineGetEncoded to create something like PSSParameterSpec::getEncoded(), but that will be an RFE.
> 
> Thanks,
> Max
> 
>> On Jan 3, 2019, at 11:27 PM, Xue-Lei Fan <xuelei.fan at oracle.com> wrote:
>> 
>> On 1/3/2019 2:10 AM, Weijun Wang wrote:
>>>> On Jan 2, 2019, at 11:56 PM, Xue-Lei Fan <xuelei.fan at oracle.com> wrote:
>>>> 
>>>> sigAlg.equalsIgnoreCase("RSASSA-PSS"):
>>>> Do you really want to ignore the case?  I used to think that an algorithm name is case sensitive.
>>> getInstance(alg) is always case-insensitive.
>> Hm, I missed it.
>> 
>>>> 
>>>> Main.java:1445 minor, 4 more indent?
>>> Then it's longer than 80 chars. How about I un-indent lines 1443 and 1444?
>> maybe, use 4 white spaces?  See also the following comment.
>> 
>>>> 
>>>> AlgorithmId.java:1073-1091:
>>>> I may prefer to use cached parameters (for both AlgorithmParameters and AlgorithmParameterSpec) for each size, for performance.
>>> OK for AlgorithmParameterSpec. Which AlgorithmParameters do you mean? The one in SignatureUtil?
>> Yes, replacing SignatureUtil.createAlgorithmParameters().  Then we don't need to worry about the indents above.
>> 
>> Thanks,
>> Xuelei
>> 
>>> Thanks,
>>> Max
>>>> 
>>>> 
>>>> Xuelei
>>>> 
>>>> 
>>>> On 12/21/2018 1:44 AM, Weijun Wang wrote:
>>>>> Please take a review at
>>>>>   https://cr.openjdk.java.net/~weijun/8215694/webrev.00/
>>>>> This bug reveals several issues:
>>>>> 1. Encoding of the RSASSA-PSS signature algorithm in PKCS10 and X509CertImpl.
>>>>> 2. The missing of setParameter() call for PKCS10 and X509CertImpl.
>>>>> 3. All keytool commands of -genkeypair, -certreq, -gencert, -selfcert are affected.
>>>>> 4. Wrong NULL after encoding of RSASSA-PSS key algorithm.
>>>>> Please confirm this is safe to be fixed in JDK 12.
>>>>> Thanks,
>>>>> Max
> 




More information about the security-dev mailing list