RFR: 8272385: Enforce ECPrivateKey d value to be in the range [1, n-1] for SunEC provider
Jamil Nimeh
jnimeh at openjdk.java.net
Wed Sep 1 16:34:23 UTC 2021
On Wed, 1 Sep 2021 15:13:14 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> So the key is only validated before it's used? Why not when creating it?
>
> Do we need to validate public key as well? It might not be a problem since modular calculation should scale it back to normal. Our old native impl does have one at https://github.com/openjdk/jdk11u-dev/blob/master/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c#L481.
>
> One more thing: I would prefer `[1, n)` or `(0, n)` in the bug title, and, it's probably more efficient to call `sVal.compareTo(BigInteger.ZERO) <= 0` than `sVal.compareTo(BigInteger.ONE) < 0`.
Good questions.
WRT the KeyFactory, I looked not only at ours but also BC's and neither seems to put restrictions on ranges for an ECPrivateKey. Given that behavior I thought for this change I'd leave KeyFactory alone.
Validating the public key might not be a bad idea. I could come up with a Java-based version of what's in libsunec and update the test to cover that as well.
With respect to the synopsis, I'd prefer to leave it [1, n-1] because that's the notation used by FIPS 186-4, X9.62 and SEC 1. But the BigInteger.compareTo I will change as you suggested.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5324
More information about the security-dev
mailing list