RFR [14] 8223940: Private key not supported by chosen signature algorithm
Valerie Peng
valerie.peng at oracle.com
Wed Nov 6 00:49:59 UTC 2019
Hi Xuelei,
Updated webrev looks good.
If we have a failing test to verify the changes, perhaps you can try
disabling the CKM_RSA_PKCS_PSS in the PKCS11 provider configuration
file. Or, you can always comment out the PSS Signature entry
registration in SunPKCS11 provider.
Thanks,
Valerie
On 11/4/2019 7:27 PM, Xuelei Fan wrote:
> Hi Valerie,
>
> Thanks for the review.
>
> On 11/4/2019 6:36 PM, Valerie Peng wrote:
>> Hi Xuelei,
>>
>> Overall changes look good.
>>
>> A nit: SignatureScheme.java:552, "Ignore unsupport..." instead of
>> "Ignore the unsupported..."
>>
> Good catch!
>
>> It seems that the SignatureScheme selection is always selected with
>> PrivateKey first?
> Yes.
>
>> It'd be nice to have some comments explain the different handling
>> between getSigner(PrivateKey) and getVerifier(PublicKey), i.e. former
>> returns null vs later passes up the exception.
>>
> Yes, better to have some words for the difference. Here is the
> updated webrev:
> http://cr.openjdk.java.net/~xuelei/8223940/webrev.01/
>
> Comparing to the previous version, only the SignatureScheme.java is
> updated.
>
> Thanks,
> Xuelei
>
>> Thanks,
>> Valerie
>>
>>
>> On 10/24/2019 1:56 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Could I get the following update reviewed?
>>> http://cr.openjdk.java.net/~xuelei/8223940/webrev.00/
>>>
>>> For signature algorithms, the update will fail back to use the
>>> supported signature algorithm for the specific private key.
>>> Previously, the first preferred signature algorithm get used ad the
>>> private key may not be able to work with the signature algorithm
>>> however.
>>>
>>> No new regression test as RSASSA-PSS has been supported in the
>>> SunPKCS11 provider currently. Can I get a help for the test if you
>>> are running a provider that does not support RSASSA-PSS yet?
>>>
>>> Thanks & Regards,
>>> Xuelei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191105/c040f8d8/attachment.htm>
More information about the security-dev
mailing list