RFR 8242184: CRL generation error with RSASSA-PSS
Sean Mullan
sean.mullan at oracle.com
Fri Apr 17 19:24:54 UTC 2020
On 4/15/20 8:28 AM, Weijun Wang wrote:
>
>> On Apr 9, 2020, at 3:46 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> On 4/6/20 11:11 PM, Weijun Wang wrote:
>>> Please review the fix at
>>> http://cr.openjdk.java.net/~weijun/8242184/webrev.00/
>>> The major change is inside X509CRLImpl.java to allow params setting and reading.
>>> I also take this chance to:
>>> 1. Provide a default -sigalg for "keytool -genkeypair -keyalg rsassa-pss".
>>
>> I think you should file a CSR for that, since it is a new default, and the default varies based on the size of the key. You should also update the keytool man page section on defaults.
>
> I've filed a CSR at https://bugs.openjdk.java.net/browse/JDK-8242812. Please take a review.
In the Problem section, you might want to mention what the current
behavior of keytool is right now if you use an RSASSA-PSS key and you
don't specify -sigalg.
Otherwise, looks good.
--Sean
>
> Here, actually when the key is RSASSA-PSS, the default signature is simply RSASSA-PSS, and its parameters will take the same from the key itself, and not related to the key size.
>
> Thanks,
> Max
>
>>
>> --Sean
>>
>>> 2. Revert a former change in X509CertImpl.java, which might be a safer call.
>>> Thanks,
>>> Max
>
More information about the security-dev
mailing list