RFR: 8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec [v6]

Valerie Peng valeriep at openjdk.java.net
Wed Mar 24 22:31:41 UTC 2021 

On Wed, 24 Mar 2021 03:25:02 GMT, Ziyi Luo <luoziyi at openjdk.org> wrote:

>> This is a P2 regression introduced by JDK-8254717.
>> 
>> In `RSAKeyFactory.engineGetKeySpec`, when the key is a RSA key and the KeySpec is RSAPrivateKeySpec or RSAPrivateCrtKeySpec. The method behavior is described as follow:
>> 
>> X-axis: type of `keySpec`
>> Y-axis: type of `key`
>> 
>> Before JDK-8254717:
>> 
>> |  | RSAPrivateKeySpec.class | RSAPrivateCrtKeySpec.class |
>> |--|--|--|
>> | RSAPrivateKey | Return RSAPrivateKeySpec  | Throw `InvalidKeySpecException` |
>> | RSAPrivateCrtKey | Return RSAPrivateKeySpec | Return RSAPrivateKeyCrtSpec |
>> 
>> After JDK-8254717 (Green check is what we want to fix, red cross is the regression):
>> 
>> |  | RSAPrivateKeySpec.class | RSAPrivateCrtKeySpec.class |
>> |--|--|--|
>> | RSAPrivateKey | Throw `InvalidKeySpecException` ❌  | Throw `InvalidKeySpecException` |
>> | RSAPrivateCrtKey | Return RSAPrivateKeyCrtSpec ✅ | Return RSAPrivateKeyCrtSpec |
>> 
>> This commit fixes the regression.
>> 
>> 
>> ### Tests
>> 
>> * Jtreg: All tests under `java/security`, `sun/security`, `javax/crypto` passed
>> * JCK: All JCK-16 (I do not have jCK-17)tests under `api/java_security` passed
>
> Ziyi Luo has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - Remove trailing whitespace
>  - Refactor P11RSAKeyFactory and improve tests

test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java line 36:

> 34:  * @test
> 35:  * @bug 8263404
> 36:  * @summary RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec

It'd be clearer to re-word the summary to clear things up, e.g. return RSAPrivateCrtKeySpec for CRT Keys even when RSAPrivateKeySpec is specified for KeyFactory.getKeySpec() calls.

test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java line 38:

> 36:  * @summary RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
> 37:  * @summary Also checks to ensure that sensitive RSA keys are correctly not exposed
> 38:  * @author Greg Rubin, Ziyi Luo

Latest policy is to not include @author tag.

test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java line 87:

> 85:             if (!(spec instanceof RSAPrivateCrtKeySpec)) {
> 86:                 throw new Exception("Spec should be an instance of RSAPrivateCrtKeySpec");
> 87:             }            

Note that SunPKCS11 provider does not really generate the keys unlike SunRsaSign provider, thus for correctness, you should check it's a CRT key before you impose the instanceof RSAPrivateCrtKeySpec check.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2949

More information about the security-dev mailing list