RFR: 8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec

SalusaSecondus github.com+829871+salusasecondus at openjdk.java.net
Fri Mar 12 17:02:07 UTC 2021 

On Fri, 12 Mar 2021 15:39:48 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> This is a P2 regression introduced by JDK-8254717.
>> 
>> In `RSAKeyFactory.engineGetKeySpec`, when the key is a RSA key and the KeySpec is RSAPrivateKeySpec or RSAPrivateCrtKeySpec. The method behavior is described as follow:
>> 
>> X-axis: type of `keySpec`
>> Y-axis: type of `key`
>> 
>> Before JDK-8254717:
>> 
>> |  | RSAPrivateKeySpec.class | RSAPrivateCrtKeySpec.class |
>> |--|--|--|
>> | RSAPrivateKey | Return RSAPrivateKeySpec  | Throw `InvalidKeySpecException` |
>> | RSAPrivateCrtKey | Return RSAPrivateKeySpec | Return RSAPrivateKeyCrtSpec |
>> 
>> After JDK-8254717 (Green check is what we want to fix, red cross is the regression):
>> 
>> |  | RSAPrivateKeySpec.class | RSAPrivateCrtKeySpec.class |
>> |--|--|--|
>> | RSAPrivateKey | Throw `InvalidKeySpecException` ❌  | Throw `InvalidKeySpecException` |
>> | RSAPrivateCrtKey | Return RSAPrivateKeyCrtSpec ✅ | Return RSAPrivateKeyCrtSpec |
>> 
>> This commit fixes the regression.
>> 
>> 
>> ### Tests
>> 
>> * Jtreg: All tests under `java/security`, `sun/security`, `javax/crypto` passed
>> * JCK: All JCK-16 (I do not have jCK-17)tests under `api/java_security` passed
>
> My understanding is that the problem here is the 2 `isAssignableFrom` checks are in wrong order. The parent class RSA_PRIV_KEYSPEC_CLS should be checked first.
> 
> BTW, please add a regression test to the fix. Thanks.

If we check the parent class `RSA_PRIV_KEYSPEC_CLS` first, then the JDK will return instances of `RSAPrivateKeySpec` even when it *could* return an instance of `RSAPrivateCrtKeySpec`. If the underlying RSA key has CRT parameters, then it seems preferable to return the more detailed and specific `RSAPrivateCrtKeySpec` if possible. (Not opportunistically returning `RSAPrivateCrtKeySpec` is actually one of the specific things that the prior change (which introduced this regression) is trying to fix.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2949

More information about the security-dev mailing list