RFR: 8298127: HSS/LMS Signature Verification [v5]

Sean Mullan mullan at openjdk.org
Mon May 8 13:11:36 UTC 2023 

On Tue, 2 May 2023 21:43:19 GMT, Ferenc Rakoczi <duke at openjdk.org> wrote:

>> Implement support for Leighton-Micali Signatures (LMS) as described in RFC 8554. LMS is an approved software signing algorithm for CNSA 2.0, with SHA-256/192 parameters recommended.
>
> Ferenc Rakoczi has updated the pull request incrementally with one additional commit since the last revision:
> 
>   adding key translation, finally block, removing 24-byte LMOTS parameters

src/java.base/share/classes/sun/security/provider/HSS.java line 746:

> 744:         @Override
> 745:         protected <T extends KeySpec> T engineGetKeySpec(Key key, Class<T> keySpec) throws InvalidKeySpecException {
> 746:             if (key.getFormat().equals("X.509") && key.getAlgorithm().equals("HSS/LMS")) {

Should check if `key` is `null` and if so, throw `InvalidKeySpecExc`.

src/java.base/share/classes/sun/security/provider/HSS.java line 746:

> 744:         @Override
> 745:         protected <T extends KeySpec> T engineGetKeySpec(Key key, Class<T> keySpec) throws InvalidKeySpecException {
> 746:             if (key.getFormat().equals("X.509") && key.getAlgorithm().equals("HSS/LMS")) {

Standard names are case-insensitive, so should use `equalsIgnoreCase`.

src/java.base/share/classes/sun/security/provider/HSS.java line 774:

> 772:     }
> 773: 
> 774:     public static class HSSPublicKey extends X509Key implements Length {

Can this be package-private instead of `public`?

src/java.base/share/classes/sun/security/provider/HSS.java line 781:

> 779: 
> 780:         @SuppressWarnings("deprecation")
> 781:         public HSSPublicKey(byte[] keyArray) throws InvalidKeyException {

Can this be package-private instead of public?

src/java.base/share/classes/sun/security/provider/HSS.java line 796:

> 794: 
> 795:         @Override
> 796:         @SuppressWarnings("deprecation")

Why do you need the `SuppressWarnings` annotation here? `sun.util.Length.length()` is not deprecated.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1187417447
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1187421443
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1187395653
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1187397466
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1187402001

More information about the security-dev mailing list