RFR: 8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec [v4]
Valerie Peng
valeriep at openjdk.java.net
Wed Mar 24 22:39:42 UTC 2021
On Tue, 23 Mar 2021 01:01:14 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> P11PrivateKey is private so we cannot check that. Our options to figure out if something is sensitive are:
>> 1. See if it doesn't implement `RSAPrivateKey` (this yields the prior snippet with `implGetSoftwareFactory()`)
>> 2. Try to access the attributes directly from the token (this yields the current solution which we're modifying)
>> 3. Check the value of `p11Key.extractable` (which is package-private and thus visible)
>>
>> The smallest change would be to keep our strategy as 2. While I like it the least (my favorite is number 1) it has the smallest risk of changing some undocumented behavior on a PKCS#11 device that we're unfamiliar with (and not testing because we may not have the hardware costing tens of thousands of dollars). Option 3 somewhat spits the difference between 1 and 2.
>
> Or, how about changing the scope of P11PrivateKey/P11RSAPrivateKey/P11RSAPrivateNonCRTKey to pkg private? This way we can take advantage of the info implied by the type of class and avoid the potential double failure of querying the attributes.
Rest of changes look good. Thanks for the update.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2949
More information about the security-dev
mailing list