RFR 8242068: Signed JAR support for RSASSA-PSS and EdDSA
Sean Mullan
sean.mullan at oracle.com
Fri May 29 19:32:18 UTC 2020
On 5/23/20 4:21 AM, Weijun Wang wrote:
> CSR updated at https://bugs.openjdk.java.net/browse/JDK-8245274 with the full patch on docs.
Good to remove all of the DSA references :) I had a few comments, mostly
wording suggestions:
- In the Problem section, you should add references to the RFCs.
- Solution section:
RSASSA-RSS and EdDSA keys can be used to signed a JAR file
typo: signed/signed
- Comments on the Specification section:
Some of this wording where you discuss what is going to be done in
jarsigner and the tool doc seems more like it belongs in the Solution
section, but it may be ok either way (not sure, I guess Joe will let you
know if it is an issue).
+RSASSA-PSS \<= 3072 RSASSA-PSS using SHA-256
+ \<= 7680 RSASSA-PSS using SHA-384
+ \> 7680 RSASSA-PSS using SHA-512
It might be better to be more specific, for example "RSASSA-PSS with the
SHA-256 message digest algorithm" I used the term "with" as that is the
word we use in the standard signature algorithm strings.
+pair using `-keyalg EdDSA`, user can specify `-keysize 255` or
`-keysize 448`
s/user/a user/
+Ed25519 key pair is generated. User can also directly specifies
`-keyalg Ed25519`
s/User/A user/
s/specifies/specify/
+ By default, the `jarsigner` command signs a JAR file using one of the
following
+ algorithms files depending on the type and size of the private key:
Not your changes, but there is a grammar error above. I would also
mention block files, since you have added it to the table, so how about:
"By default, the `jarsigner` command signs a JAR file using the
following algorithms and block file extension depending on the type and
size of the private key:"
+will use a new `PSSParameterSpec` parameters that is determined by the
key's
s/a new/new/
+for keysize \<= 3072 bits, use a `PSSParameterSpec` with SHA-256 as the
hash
s/use a `PSSParameterSpec`/a `PSSParameterSpec` will be used/
+and MGF1 algorithms; for keysize \<= 7680 bits, use SHA-384; for
+keysize \>= 7680 bits, use SHA-512.
s/use SHA-384/SHA-384 will be used/
s/use SHA-512/SHA-512 will be used/
--Sean
More information about the security-dev
mailing list