Re: RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec
7680 itself is 192 bits, and for any bitLength greater than 7680 I treat it as in a "higher" level. --Max > On Dec 14, 2016, at 5:19 PM, Bernd Eckenfelswrote: > > Hello, > > I noticed in the existing code: Is the comment "256 bits" referring to the > 'comparable strength'? > > # if (bitLength > 7680) { // 256 bits > > If so, it seems misleading, according to table 2 this would be 192 bit. Maybe > this can be corrected, removed or the meaning of the comment clarified. > > Gruss > Bernd > -- > http://bernd.eckenfels.net
Re: RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec
Hello, I noticed in the existing code: Is the comment "256 bits" referring to the 'comparable strength'? # if (bitLength > 7680) { // 256 bits If so, it seems misleading, according to table 2 this would be 192 bit. Maybe this can be corrected, removed or the meaning of the comment clarified. Gruss Bernd -- http://bernd.eckenfels.net _ From: Wang WeijunSent: Mittwoch, Dezember 14, 2016 4:39 AM Subject: RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec To: NIST 800-57 Part 1 has a new revision. The lines below are newly introduced in jdk9. diff --git a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java --- a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java +++ b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java @@ -1024,7 +1024,7 @@ } } -// Values from SP800-57 part 1 rev 3 tables 2 and three +// Values from SP800-57 part 1 rev 4 tables 2 and 3 private static String ecStrength (int bitLength) { if (bitLength >= 512) { // 256 bits of strength return "SHA512"; @@ -1035,7 +1035,7 @@ } } -// same values for RSA and DSA +// Same values for RSA and DSA private static String ifcFfcStrength (int bitLength) { if (bitLength > 7680) { // 256 bits return "SHA512"; diff --git a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java --- a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java +++ b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java @@ -430,7 +430,7 @@ * SHA384withECDSA for a 384-bit EC key. * * @implNote This implementation makes use of comparable strengths - * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.3. + * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.4. * Specifically, if a DSA or RSA key with a key size greater than 7680 * bits, or an EC key with a key size greater than or equal to 512 bits, * SHA-512 will be used as the hash function for the signature. Thanks Max
Re: RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec
Looks fine to me. Xuelei On 12/13/2016 6:09 PM, Wang Weijun wrote: NIST 800-57 Part 1 has a new revision. The lines below are newly introduced in jdk9. diff --git a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java --- a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java +++ b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java @@ -1024,7 +1024,7 @@ } } -// Values from SP800-57 part 1 rev 3 tables 2 and three +// Values from SP800-57 part 1 rev 4 tables 2 and 3 private static String ecStrength (int bitLength) { if (bitLength >= 512) { // 256 bits of strength return "SHA512"; @@ -1035,7 +1035,7 @@ } } -// same values for RSA and DSA +// Same values for RSA and DSA private static String ifcFfcStrength (int bitLength) { if (bitLength > 7680) { // 256 bits return "SHA512"; diff --git a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java --- a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java +++ b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java @@ -430,7 +430,7 @@ * SHA384withECDSA for a 384-bit EC key. * * @implNote This implementation makes use of comparable strengths - * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.3. + * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.4. * Specifically, if a DSA or RSA key with a key size greater than 7680 * bits, or an EC key with a key size greater than or equal to 512 bits, * SHA-512 will be used as the hash function for the signature. Thanks Max
RFR 8171190: Bump reference of NIST 800-57 Part 1 Rev 3 to Rev 4 in JarSigner API spec
NIST 800-57 Part 1 has a new revision. The lines below are newly introduced in jdk9. diff --git a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java --- a/src/java.base/share/classes/sun/security/x509/AlgorithmId.java +++ b/src/java.base/share/classes/sun/security/x509/AlgorithmId.java @@ -1024,7 +1024,7 @@ } } -// Values from SP800-57 part 1 rev 3 tables 2 and three +// Values from SP800-57 part 1 rev 4 tables 2 and 3 private static String ecStrength (int bitLength) { if (bitLength >= 512) { // 256 bits of strength return "SHA512"; @@ -1035,7 +1035,7 @@ } } -// same values for RSA and DSA +// Same values for RSA and DSA private static String ifcFfcStrength (int bitLength) { if (bitLength > 7680) { // 256 bits return "SHA512"; diff --git a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java --- a/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java +++ b/src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java @@ -430,7 +430,7 @@ * SHA384withECDSA for a 384-bit EC key. * * @implNote This implementation makes use of comparable strengths - * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.3. + * as defined in Tables 2 and 3 of NIST SP 800-57 Part 1-Rev.4. * Specifically, if a DSA or RSA key with a key size greater than 7680 * bits, or an EC key with a key size greater than or equal to 512 bits, * SHA-512 will be used as the hash function for the signature. Thanks Max