On 5/7/2016 1:17 AM, Michael StJohns wrote: > On 5/6/2016 10:40 AM, Xuelei Fan wrote: >> Hi, >> >> Please review this simple test failure fix: >> >> http://cr.openjdk.java.net/~xuelei/8154344/webrev.00/ >> >> The underlying crypto lib may generate DH private keys out of the normal >> expected range. This fix removes the range checking for DH private keys. >> >> Thanks, >> Xuelei > > I'm confused about this. I read the code and reviewed NIST SP800-56A > Rev 1, section 5.6.2.4 and the check you're commenting out is the > correct check for validity. If the provider is failing this check, > shouldn't the provider be fixed? > Yes. This is might be a platform crypto lib issue. I want to bring back the testing at first, and open the test again after the issue get fixed.
> I.e. the test is failing as expected. > > If you still want to open up this code, then I'd probably add the second > test for the public key: > > if (y.modPow(q,p).compareTo(BigInteger.ONE) != 0) > throw new Exception (...); > > I'd probably also compare the params in both public and private keys for > equality at the beginning of the checkKeyPair test and then dump the > second check for p.bitSize(). > Hm, good suggestions! I will make the update if the test opens later. Thanks, Xuelei
