Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8155847

SHA groups needed for jdk.security.provider.preferred

XMLWordPrintable

    • b120
    • Verified

      While Cipher transform can be easily wildcarded by specifying a portion of the transformation, MessageDigest and Mac are not so easy. I recently noticed "SHA1:SUN" was not triggering HMAC because SunPKCS11 intercepts the request.

      While the internals of SunJCE do the right thing to get an instance for the message digest for use with HMAC, SunPKCS11 does not get an instance of the message digest and just sends it back to the native library. SunPKCS11 is not doing the wrong thing here, this wasn't anticipated during the project.

      As a result of this, each HMAC transformation would need to be specified on the jdk.security.provider.preferred. This will create a long list of algorithm names. It would be better to group them together in simple names. We will also use the 'type' to specify the group. The 'type' is used for the Service type, such as MessageDigest.SHA1 or Cipher.RSA. For these groups we will use a new type called "Group". New groups would be: Group.SHA2 and Group.HmacSHA2, Group.SHA2RSA, Group.SHA2DSA, Group.SHA2ECDSA, Group.SHA3, Group.HmacSHA3,

      Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

      Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
      Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA
      Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA
      Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA
      Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512
      Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512

      A new sparc jdk.security.provider.preferred line would be:
        jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, HmacSHA1:SunJCE, Group.SHA2:SUN, Group.HmacSHA2:SunJCE

            ascarpino Anthony Scarpino
            ascarpino Anthony Scarpino
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: