On 1/17/2021 9:29 PM, Valerie Peng wrote:
On Fri, 15 Jan 2021 01:45:07 GMT, Valerie Peng <valer...@openjdk.org> wrote:
Marked as reviewed by weijun (Reviewer).
_Mailing list message from [Michael StJohns](mailto:mstjo...@comcast.net) on
[security-dev](mailto:security-dev@openjdk.java.net):_
Sorry - I'm coming to this a bit late.
Any chance of adding the logic for generatePublic() from a PKCS8 RSA
private key??? RFC3477 has the PKCS1 RSAPrivateKey ASN1 which includes
the modulus and publicExponent - so it should be a pretty straight
forward add to generate a public key.
PKCS11 2.40 started requiring that the publicExponent be stored with the
private key to allow for the public key to be regenerated from a private
key object.?? Going forward,? it might be a good idea to modify the
RSAPrivate(Crt)KeyImpl class to store the publicExponent if provided.
Mike
You are correct that for RSA private CRT keys the necessary values are there
for figuring out its corresponding public keys.
This change is about adding support for PKCS#1 encoded RSA keys and be able to
translate them into PKCS#8 encoded keys and/or extract various key specs out of
them. If you already have PKCS#8 RSAPrivateCrtKey obj from SunRsaSign provider,
you can call its getPublicExponent() method and use that to create a
RSAPublicKeySpec and generate RSA public key with it. If you are using 3rd
party impl which does not return the public exponent value somehow, then you
can translate it using the RSA key factory impl from SunRsaSign provider and
then repeat the fore-mentioned step. Will this address your need? If not, could
you elaborate the usage that you have in mind? Not sure if you are suggesting a
new KeyFactory.generatePublic() method which take a PrivateKey or else.
Mike,
We can continue your feedback with a separate RFE since this RFE is just about
adding support for PKCS#1 encoding.
I need to wrap this up before my upcoming trip this Wed, hope that's ok with
you.
Thanks! Valerie
-------------
PR: https://git.openjdk.java.net/jdk/pull/1787
No worries - I got busy with other things for a few days.
To answer your other question, I've had a few cases where the public key
for a private key has been misplaced and where we needed it back.
Ideally, it should be possible to take a PrivateKey object (in whatever
form including just PrivateKey) and run it through the KeyFactory to
extract a PublicKey. I've used the technique you suggest above before
(and the related multiply the private scalar against G for EC keys) to
retrieve the data needed to build a public key, but each of these is a
bit ad hoc. I'd really prefer to have a standard pattern for all key types.
About 4 years or so ago (e.g. when 2.40 was released), the PKCS11 group
started requiring that the private keys include the attributes necessary
to retrieve the public key - for RSA it was the public exponent, and for
EC it was the public point (which could be stored or regenerated upon
demand). It may be time to think about doing something similar here and
going forward for any given asymmetric key type.
That's a more general RFE than just updating the current implementing
classes, but as far as I can tell, doesn't change any of the APIs, but
may change the factory class implementation guidance.
An interesting addition would be to have the Impl classes implement both
the appropriate public key and private key interfaces.
