On 2/21/2012 5:33 PM, Valerie (Yu-Ching) Peng wrote:
Brad,
Can you please review the fixes for the following 2 bugs:
* 7146728: Inconsistent length for the generated secret using DH key
agreement impl from SunJCE and PKCS11
o http://cr.openjdk.java.net/~valeriep/7146728/webrev.00/
This impacts both SunJCE provider and SunPKCS11 provider. The
implementations are inconsistent within SunJCE provider itself
between the engineGenerateSecret() and
engineGenerateSecret(byte[], int). Given that RFC 2631 specifies
the leading 0s must be preserved so the generated secret has as
many octets as the prime P,
Just to be clear here, you're referring to Section 2.1.2 of 2631, which
is just one of the DH Key agreement variants (based on X9.42) for
generating Keying Material from secret keys obtained from a "raw" DH
calculations, and is then subject later SHA1 manipulations, right? This
method provides motivation/incentive to output our secret keys with the
same lengths, but I don't think this RFC makes any claims that the
general output of "raw" DH key agreement operation must be the same length.
I'll take another look over the code tomorrow.
Thanks,
Brad
I have changed both SunJCE and
SunPKCS11 provider to do so. When testing against Solaris and
NSS libraries, Solaris preserves the leading 0s while NSS trims
it off, thus similar handling is also needed in SunPKCS11 provider.
* 7130959: Tweak 7058133 fix for JDK 8 (javah makefile changes)
o http://cr.openjdk.java.net/~valeriep/7130959/webrev.00/
Instead of using the -Xbootclasspath, switching over to use
-boothclasspath for consistency with the backported changes in
the update releases for earlier JDK, e.g. 7u.
Thanks,
Valerie
