RFR: 8267319: Use larger default key sizes and algorithms based on CNSA [v5]

Weijun Wang weijun at openjdk.java.net
Wed Mar 16 00:16:50 UTC 2022


On Tue, 15 Mar 2022 20:44:20 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java line 122:
>> 
>>> 120:             default -> {
>>> 121:                 throw new ProviderException
>>> 122:                         ("Unrecognized algorithm for checking key size");
>> 
>> If it's an unknown key algorithm, is it possible we just ignore it and keep using `minKeyLen` and `maxKeyLen`?
>
> Well, instead of ignore unknown key algorithm, perhaps safer to throw Exception so it can be caught and handled during develop time. P11KeyPairGenerator class is only used for known algorithms which it is registered for, so probably ok to go either way. I'd prefer to play it safe and force a review of this block of code when new algorithm is added.

OK.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7652



More information about the security-dev mailing list