[CSR RFR] 8242068: Signed JAR support for RSASSA-PSS and EdDSA

Weijun Wang weijun.wang at oracle.com
Tue May 19 09:43:43 UTC 2020

Please review the CSR at


The most arguable is the new block extension names. I drafted "PSS" for "RSASSA-PSS", and "EDD" for "EdDSA", since the old extension names never exceeded 3 letters. If we do not care about this, we can just make them "RSASSA-PSS" and "EdDSA". We've always treated the extension name in a case-insensitive way but this needs some debugging.

Another thing I haven't mentioned in the CSR is about using `-sigalg RSASSA-PSS` for an RSA key. The hashAlgorithm and maskGenAlgorithm of the PSS parameters will be determined by the key size of the key, i.e.

    // Same values for RSA and DSA
    private static String ifcFfcStrength (int bitLength) {
        if (bitLength > 7680) { // 256 bits
            return "SHA512";
        } else if (bitLength > 3072) {  // 192 bits
            return "SHA384";
        } else  { // 128 bits and less
            return "SHA256";

and it's not adjustable. I don't know what the best place is for this info.


More information about the security-dev mailing list