RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3]

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Fri Oct 22 18:01:10 UTC 2021


On Thu, 21 Oct 2021 19:16:34 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:

>> Hello,
>> 
>> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
>> 
>> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. 
>> If not applied, implementation can try to select signer from other providers
>> 
>> Regards
>> Alexey
>
> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Change exception handling

Changes requested by xuelei (Reviewer).

src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 212:

> 210:      */
> 211:     private void isPrivateKeyValid(RSAPrivateKey prKey)  throws InvalidKeyException {
> 212:         InvalidKeyException ikException = null;

If I read the code correct, by define a local variable, it looks like you are trying to avoid to re-throw the exception in the catch clause.  But this style adds additional effort to read the code.  Exception re-throw should be fine as if the exception has been generated and will be thrown in the end of the method.

src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 220:

> 218:                             crtKey.getPublicExponent());
> 219:                 } else {
> 220:                     ikException = new InvalidKeyException(

See above comment, I will just throw the exception, rather than cache it.

-------------

PR: https://git.openjdk.java.net/jdk/pull/4887


More information about the security-dev mailing list