My recollection is that the latest PKCS11 standard has been in the works
for a few years and there is no SHA-2 DSA signature support from Solaris
when we add the SHA-2 DSA support.
Valerie
On 2/24/2016 10:25 AM, Sean Mullan wrote:
On 02/24/2016 11:58 AM, Seán Coffey wrote:
I think you might have forgotten the PKCS11 implementation Sean.
e.g.
src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java
Good catch, although I think we should only increase the size for RSA
key pairs, since we don't yet support the SHA-2 DSA signature
algorithms for pkcs11, and it will throw an exception if keys larger
than 1024 bits are used to sign or verify data.
Valerie or Vinnie, do you know why we don't yet have support for SHA-2
withDSA signature algorithms in our PKCS11 provider? I don't see a bug
filed for it.
On a side note, I notice a discrepancy in the KeyPairGenerator javadoc.
It's more of an implNote issue :
If the algorithm is the/DSA/algorithm, and the keysize (modulus size)
is 512, 768, or 1024, then the/Sun/provider uses a set of precomputed
values for the|p|,|q|, and|g|parameters.
I think we also cache 2048 bit values. Maybe you can modify.
This is true -- I will add 2048 to the above sentence.
--Sean
Regards,
Sean.
On 24/02/16 14:54, Sean Mullan wrote:
Please review this fix to improve security defaults by increasing the
default keysize of the RSA, DSA, and DiffieHellman implementations of
AlgorithmParameterGenerator and KeyPairGenerator from 1024 to 2048
bits:
http://cr.openjdk.java.net/~mullan/webrevs/8138653/webrev.00/
Thanks,
Sean
