Re: Code Review Request 8049321 Support SHA256WithDSA in JSSE

Wed, 16 Dec 2015 15:53:31 -0800 


On 12/16/2015 3:22 PM, Xuelei Fan wrote:

On 12/17/2015 3:14 AM, Bradford Wetmore wrote:

The change itself looks ok, but a question on the previous code.

420:  Why is SHA224 disabled when SunMSCAPI is present?  Or
alternatively, why is SHA224 enabled when SunMSCAPI not present?

SunMSCAPI does not support SHA-224 yet.


That was my guess, however...


Shouldn't this be based on whether there is a SHA224 implementation
available?

The SHA-224 is always available with JDK providers.  But SHA224withRSA
and SHA224withDSA does not work for SunMSCAPI.  So we need to filter out
SHA-224 for SunMSCAPI.


        if (Security.getProvider("SunMSCAPI") == null) {
            supports(HashAlgorithm.SHA224,      SignatureAlgorithm.DSA,
                 "SHA224withDSA",        --p);


Those two algs are always being filtered out regardless of whether other 
providers might support it.  For all platforms, the Sun provider is 
available for SHA224withDSA/SHA256withDSA, right?


    map.put("Signature.SHA224withDSA",
        "sun.security.provider.DSA$SHA224withDSA");
    map.put("Signature.SHA256withDSA",
        "sun.security.provider.DSA$SHA256withDSA");


So if SunMSCAPI is registered as an active provider (on a Windows 
platform), SHA224/SHA256 will be disabled.  This doesn't seem right.



And if so, why are we not verifying that an implementation
exists (getInstance("SHA256") doesn't throw exception) for the other
algorithms also (SHA1/RSA/etc)?


Need to check the full signature name.  But no checking at present as
these algorithms are supported by JDK providers except the SHA-224 based
ones.  May make improvement later.


This does require that at least the Sun provider always be available then.

Brad





Thanks,
Xuelei


The synopsis should probably be:

     Support SHA224withDSA/SHA256withDSA in TLSv1.2 \
     signature_algorithms extension

Also, note the case of the "W" in "SHA256WithDSA".

Brad


On 12/14/2015 9:47 PM, Xuelei Fan wrote:

On 12/15/2015 1:40 PM, Xuelei Fan wrote:

Hi,

Please this enhancement to the JSSE implementation:


Please review this enhancement to the JSSE implementation:


     http://cr.openjdk.java.net/~xuelei/8049321/webrev.00/

This change will add support for the SHA224withDSA and SHA256withDSA
algorithms in the TLS "signature_algorithms" extension in the SunJSSE
provider.  Note that this extension does not apply to TLS 1.1 and
previous versions.

Thanks,
Xuelei



























					Reply via email to