On Wed, 24 Mar 2021 03:25:02 GMT, Ziyi Luo <luoz...@openjdk.org> wrote:
>> This is a P2 regression introduced by JDK-8254717.
>>
>> In `RSAKeyFactory.engineGetKeySpec`, when the key is a RSA key and the
>> KeySpec is RSAPrivateKeySpec or RSAPrivateCrtKeySpec. The method behavior is
>> described as follow:
>>
>> X-axis: type of `keySpec`
>> Y-axis: type of `key`
>>
>> Before JDK-8254717:
>>
>> | | RSAPrivateKeySpec.class | RSAPrivateCrtKeySpec.class |
>> |--|--|--|
>> | RSAPrivateKey | Return RSAPrivateKeySpec | Throw
>> `InvalidKeySpecException` |
>> | RSAPrivateCrtKey | Return RSAPrivateKeySpec | Return RSAPrivateKeyCrtSpec |
>>
>> After JDK-8254717 (Green check is what we want to fix, red cross is the
>> regression):
>>
>> | | RSAPrivateKeySpec.class | RSAPrivateCrtKeySpec.class |
>> |--|--|--|
>> | RSAPrivateKey | Throw `InvalidKeySpecException` ❌ | Throw
>> `InvalidKeySpecException` |
>> | RSAPrivateCrtKey | Return RSAPrivateKeyCrtSpec ✅ | Return
>> RSAPrivateKeyCrtSpec |
>>
>> This commit fixes the regression.
>>
>>
>> ### Tests
>>
>> * Jtreg: All tests under `java/security`, `sun/security`, `javax/crypto`
>> passed
>> * JCK: All JCK-16 (I do not have jCK-17)tests under `api/java_security`
>> passed
>
> Ziyi Luo has updated the pull request incrementally with two additional
> commits since the last revision:
>
> - Remove trailing whitespace
> - Refactor P11RSAKeyFactory and improve tests
test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java line 36:
> 34: * @test
> 35: * @bug 8263404
> 36: * @summary RsaPrivateKeySpec is always recognized as
> RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
It'd be clearer to re-word the summary to clear things up, e.g. return
RSAPrivateCrtKeySpec for CRT Keys even when RSAPrivateKeySpec is specified for
KeyFactory.getKeySpec() calls.
test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java line 38:
> 36: * @summary RsaPrivateKeySpec is always recognized as
> RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
> 37: * @summary Also checks to ensure that sensitive RSA keys are correctly
> not exposed
> 38: * @author Greg Rubin, Ziyi Luo
Latest policy is to not include @author tag.
test/jdk/sun/security/pkcs11/rsa/TestP11KeyFactoryGetRSAKeySpec.java line 87:
> 85: if (!(spec instanceof RSAPrivateCrtKeySpec)) {
> 86: throw new Exception("Spec should be an instance of
> RSAPrivateCrtKeySpec");
> 87: }
Note that SunPKCS11 provider does not really generate the keys unlike
SunRsaSign provider, thus for correctness, you should check it's a CRT key
before you impose the instanceof RSAPrivateCrtKeySpec check.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2949
