RFR [14] 8223940: Private key not supported by chosen signature algorithm
Xuelei Fan
xuelei.fan at oracle.com
Wed Nov 6 15:02:55 UTC 2019
On 11/5/2019 4:49 PM, Valerie Peng wrote:
> Hi Xuelei,
>
> Updated webrev looks good.
>
> If we have a failing test to verify the changes, perhaps you can try
> disabling the CKM_RSA_PKCS_PSS in the PKCS11 provider configuration
> file. Or, you can always comment out the PSS Signature entry
> registration in SunPKCS11 provider.
>
Yes, I commented out the PSS signature items in SunPKCS11 provider, and
the JPRT result looks good.
Thanks,
Xuelei
> Thanks,
> Valerie
> On 11/4/2019 7:27 PM, Xuelei Fan wrote:
>> Hi Valerie,
>>
>> Thanks for the review.
>>
>> On 11/4/2019 6:36 PM, Valerie Peng wrote:
>>> Hi Xuelei,
>>>
>>> Overall changes look good.
>>>
>>> A nit: SignatureScheme.java:552, "Ignore unsupport..." instead of
>>> "Ignore the unsupported..."
>>>
>> Good catch!
>>
>>> It seems that the SignatureScheme selection is always selected with
>>> PrivateKey first?
>> Yes.
>>
>>> It'd be nice to have some comments explain the different handling
>>> between getSigner(PrivateKey) and getVerifier(PublicKey), i.e. former
>>> returns null vs later passes up the exception.
>>>
>> Yes, better to have some words for the difference. Here is the
>> updated webrev:
>> http://cr.openjdk.java.net/~xuelei/8223940/webrev.01/
>>
>> Comparing to the previous version, only the SignatureScheme.java is
>> updated.
>>
>> Thanks,
>> Xuelei
>>
>>> Thanks,
>>> Valerie
>>>
>>>
>>> On 10/24/2019 1:56 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Could I get the following update reviewed?
>>>> http://cr.openjdk.java.net/~xuelei/8223940/webrev.00/
>>>>
>>>> For signature algorithms, the update will fail back to use the
>>>> supported signature algorithm for the specific private key.
>>>> Previously, the first preferred signature algorithm get used ad the
>>>> private key may not be able to work with the signature algorithm
>>>> however.
>>>>
>>>> No new regression test as RSASSA-PSS has been supported in the
>>>> SunPKCS11 provider currently. Can I get a help for the test if you
>>>> are running a provider that does not support RSASSA-PSS yet?
>>>>
>>>> Thanks & Regards,
>>>> Xuelei
More information about the security-dev
mailing list