RFR [14] 8223940: Private key not supported by chosen signature algorithm

Valerie Peng valerie.peng at oracle.com
Wed Nov 6 00:49:59 UTC 2019


Hi Xuelei,

Updated webrev looks good.

If we have a failing test to verify the changes, perhaps you can try 
disabling the CKM_RSA_PKCS_PSS in the PKCS11 provider configuration 
file. Or, you can always comment out the PSS Signature entry 
registration in SunPKCS11 provider.

Thanks,
Valerie
On 11/4/2019 7:27 PM, Xuelei Fan wrote:
> Hi Valerie,
>
> Thanks for the review.
>
> On 11/4/2019 6:36 PM, Valerie Peng wrote:
>> Hi Xuelei,
>>
>> Overall changes look good.
>>
>> A nit: SignatureScheme.java:552, "Ignore unsupport..." instead of 
>> "Ignore the unsupported..."
>>
> Good catch!
>
>> It seems that the SignatureScheme selection is always selected with 
>> PrivateKey first?
> Yes.
>
>> It'd be nice to have some comments explain the different handling 
>> between getSigner(PrivateKey) and getVerifier(PublicKey), i.e. former 
>> returns null vs later passes up the exception.
>>
> Yes, better to have some words for the difference.  Here is the 
> updated webrev:
>    http://cr.openjdk.java.net/~xuelei/8223940/webrev.01/
>
> Comparing to the previous version, only the SignatureScheme.java is 
> updated.
>
> Thanks,
> Xuelei
>
>> Thanks,
>> Valerie
>>
>>
>> On 10/24/2019 1:56 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Could I get the following update reviewed?
>>>     http://cr.openjdk.java.net/~xuelei/8223940/webrev.00/
>>>
>>> For signature algorithms, the update will fail back to use the 
>>> supported signature algorithm for the specific private key. 
>>> Previously, the first preferred signature algorithm get used ad the 
>>> private key may not be able to work with the signature algorithm 
>>> however.
>>>
>>> No new regression test as RSASSA-PSS has been supported in the 
>>> SunPKCS11 provider currently.  Can I get a help for the test if you 
>>> are running a provider that does not support RSASSA-PSS yet?
>>>
>>> Thanks & Regards,
>>> Xuelei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191105/c040f8d8/attachment.htm>


More information about the security-dev mailing list