RFR [14] 8223940: Private key not supported by chosen signature algorithm

Xuelei Fan xuelei.fan at oracle.com
Wed Nov 6 15:02:55 UTC 2019


On 11/5/2019 4:49 PM, Valerie Peng wrote:
> Hi Xuelei,
> 
> Updated webrev looks good.
> 
> If we have a failing test to verify the changes, perhaps you can try 
> disabling the CKM_RSA_PKCS_PSS in the PKCS11 provider configuration 
> file. Or, you can always comment out the PSS Signature entry 
> registration in SunPKCS11 provider.
> 
Yes, I commented out the PSS signature items in SunPKCS11 provider, and 
the JPRT result looks good.

Thanks,
Xuelei

> Thanks,
> Valerie
> On 11/4/2019 7:27 PM, Xuelei Fan wrote:
>> Hi Valerie,
>>
>> Thanks for the review.
>>
>> On 11/4/2019 6:36 PM, Valerie Peng wrote:
>>> Hi Xuelei,
>>>
>>> Overall changes look good.
>>>
>>> A nit: SignatureScheme.java:552, "Ignore unsupport..." instead of 
>>> "Ignore the unsupported..."
>>>
>> Good catch!
>>
>>> It seems that the SignatureScheme selection is always selected with 
>>> PrivateKey first?
>> Yes.
>>
>>> It'd be nice to have some comments explain the different handling 
>>> between getSigner(PrivateKey) and getVerifier(PublicKey), i.e. former 
>>> returns null vs later passes up the exception.
>>>
>> Yes, better to have some words for the difference.  Here is the 
>> updated webrev:
>> http://cr.openjdk.java.net/~xuelei/8223940/webrev.01/
>>
>> Comparing to the previous version, only the SignatureScheme.java is 
>> updated.
>>
>> Thanks,
>> Xuelei
>>
>>> Thanks,
>>> Valerie
>>>
>>>
>>> On 10/24/2019 1:56 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Could I get the following update reviewed?
>>>> http://cr.openjdk.java.net/~xuelei/8223940/webrev.00/
>>>>
>>>> For signature algorithms, the update will fail back to use the 
>>>> supported signature algorithm for the specific private key. 
>>>> Previously, the first preferred signature algorithm get used ad the 
>>>> private key may not be able to work with the signature algorithm 
>>>> however.
>>>>
>>>> No new regression test as RSASSA-PSS has been supported in the 
>>>> SunPKCS11 provider currently.  Can I get a help for the test if you 
>>>> are running a provider that does not support RSASSA-PSS yet?
>>>>
>>>> Thanks & Regards,
>>>> Xuelei



More information about the security-dev mailing list