RFR: 8267319: Use larger default key sizes and algorithms based on CNSA [v5]

Valerie Peng valeriep at openjdk.java.net
Tue Mar 15 20:47:47 UTC 2022


On Mon, 14 Mar 2022 21:24:15 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Update again and undo DSA changes
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java line 122:
> 
>> 120:             default -> {
>> 121:                 throw new ProviderException
>> 122:                         ("Unrecognized algorithm for checking key size");
> 
> If it's an unknown key algorithm, is it possible we just ignore it and keep using `minKeyLen` and `maxKeyLen`?

Well, instead of ignore unknown key algorithm, perhaps safer to throw Exception so it can be caught and handled during develop time. P11KeyPairGenerator class is only used for known algorithms which it is registered for, so probably ok to go either way. I'd prefer to play it safe and force a review of this block of code when new algorithm is added.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7652



More information about the security-dev mailing list