Re: Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
Thanks for the prompt review~ Valerie On 11/22/13 12:20, Sean Mullan wrote: On 11/22/2013 02:54 PM, Valerie (Yu-Ching) Peng wrote: Even if Solaris PKCS11 provider starts to support 2048-bit DSA keys, its SHA1withDSA signature impl should still only accept up-to-1024-bit DSA keys. The longer DSA keys need newer signature impls using SHA2-family digests. So, the regression test should still be valid. Ok, sounds good. --Sean Thanks, Valerie On 11/22/13 07:40, Sean Mullan wrote: The fix looks good. One comment on the test - it looks like the test would start failing if Solaris PKCS11 started to support 2048 bit DSA keys. Is there a way to workaround that by checking the max key length supported by the library? --Sean On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote: Can someone please help review my fixes for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()? Native PKCS11 libraries don't seem to check the key during the initialization calls (triggered by initSign()/initVerify()). Rather, it errors out during the subsequent update() calls. So, I added necessary key length checks. Webrev: http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/ Thanks, Valerie
Re: Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
On 11/22/2013 02:54 PM, Valerie (Yu-Ching) Peng wrote: Even if Solaris PKCS11 provider starts to support 2048-bit DSA keys, its SHA1withDSA signature impl should still only accept up-to-1024-bit DSA keys. The longer DSA keys need newer signature impls using SHA2-family digests. So, the regression test should still be valid. Ok, sounds good. --Sean Thanks, Valerie On 11/22/13 07:40, Sean Mullan wrote: The fix looks good. One comment on the test - it looks like the test would start failing if Solaris PKCS11 started to support 2048 bit DSA keys. Is there a way to workaround that by checking the max key length supported by the library? --Sean On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote: Can someone please help review my fixes for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()? Native PKCS11 libraries don't seem to check the key during the initialization calls (triggered by initSign()/initVerify()). Rather, it errors out during the subsequent update() calls. So, I added necessary key length checks. Webrev: http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/ Thanks, Valerie
Re: Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
Even if Solaris PKCS11 provider starts to support 2048-bit DSA keys, its SHA1withDSA signature impl should still only accept up-to-1024-bit DSA keys. The longer DSA keys need newer signature impls using SHA2-family digests. So, the regression test should still be valid. Thanks, Valerie On 11/22/13 07:40, Sean Mullan wrote: The fix looks good. One comment on the test - it looks like the test would start failing if Solaris PKCS11 started to support 2048 bit DSA keys. Is there a way to workaround that by checking the max key length supported by the library? --Sean On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote: Can someone please help review my fixes for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()? Native PKCS11 libraries don't seem to check the key during the initialization calls (triggered by initSign()/initVerify()). Rather, it errors out during the subsequent update() calls. So, I added necessary key length checks. Webrev: http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/ Thanks, Valerie
Re: Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
The fix looks good. One comment on the test - it looks like the test would start failing if Solaris PKCS11 started to support 2048 bit DSA keys. Is there a way to workaround that by checking the max key length supported by the library? --Sean On 11/19/2013 08:37 PM, Valerie (Yu-Ching) Peng wrote: Can someone please help review my fixes for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()? Native PKCS11 libraries don't seem to check the key during the initialization calls (triggered by initSign()/initVerify()). Rather, it errors out during the subsequent update() calls. So, I added necessary key length checks. Webrev: http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/ Thanks, Valerie
Code Review Request for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()
Can someone please help review my fixes for 7200306: SunPKCS11 provider delays the check of DSA key size for SHA1withDSA to sign() instead of init()? Native PKCS11 libraries don't seem to check the key during the initialization calls (triggered by initSign()/initVerify()). Rather, it errors out during the subsequent update() calls. So, I added necessary key length checks. Webrev: http://cr.openjdk.java.net/~valeriep/7200306/webrev.00/ Thanks, Valerie