[CSR RFR] 8242068: Signed JAR support for RSASSA-PSS and EdDSA
Xuelei Fan
xuelei.fan at oracle.com
Tue May 19 16:03:25 UTC 2020
On 5/19/2020 6:58 AM, Weijun Wang wrote:
> One more thing: do you think we should allow "-siglag Ed25519" and "-sigalg Ed448"?
I would like to have the two options.
> It looks like we should support it because we can call Signature.getInstance() on it, but even if so, the block extension name will still be "EDD" (or "EdDSA").
>
It may be a stupid question, can RSASSA-PSS share the 'rsa', and EdDSA
share or the 'ec' block file extension?
Xuelei
> --Max
>
>
>> On May 19, 2020, at 5:43 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>> Please review the CSR at
>>
>> https://bugs.openjdk.java.net/browse/JDK-8245274
>>
>> The most arguable is the new block extension names. I drafted "PSS" for "RSASSA-PSS", and "EDD" for "EdDSA", since the old extension names never exceeded 3 letters. If we do not care about this, we can just make them "RSASSA-PSS" and "EdDSA". We've always treated the extension name in a case-insensitive way but this needs some debugging.
>>
>> Another thing I haven't mentioned in the CSR is about using `-sigalg RSASSA-PSS` for an RSA key. The hashAlgorithm and maskGenAlgorithm of the PSS parameters will be determined by the key size of the key, i.e.
>>
>> // Same values for RSA and DSA
>> private static String ifcFfcStrength (int bitLength) {
>> if (bitLength > 7680) { // 256 bits
>> return "SHA512";
>> } else if (bitLength > 3072) { // 192 bits
>> return "SHA384";
>> } else { // 128 bits and less
>> return "SHA256";
>> }
>> }
>>
>> and it's not adjustable. I don't know what the best place is for this info.
>>
>> Thanks,
>> Max
>>
>
More information about the security-dev
mailing list