8168728: DSA signing improvments
Reviewed-by: valeriep, vinnie, ahgross, asmotrak, robm
--- a/jdk/src/java.base/share/classes/sun/security/provider/DSA.java Wed Oct 12 12:56:35 2016 -0400
+++ b/jdk/src/java.base/share/classes/sun/security/provider/DSA.java Thu Nov 10 15:46:40 2016 +0000
@@ -427,13 +427,49 @@
return t5.mod(q);
}
- // NOTE: This following impl is defined in FIPS 186-4 AppendixB.2.1.
protected BigInteger generateK(BigInteger q) {
+ // Implementation defined in FIPS 186-4 AppendixB.2.1.
SecureRandom random = getSigningRandom();
byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
random.nextBytes(kValue);
- return new BigInteger(1, kValue).mod(q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
+ BigInteger k = new BigInteger(1, kValue).mod(
+ q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
+
+ // Using an equivalent exponent of fixed length (same as q or 1 bit
+ // less than q) to keep the kG timing relatively constant.
+ //
+ // Note that this is an extra step on top of the approach defined in
+ // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
+ k = k.add(q).divide(BigInteger.TWO);
+
+ // An alternative implementation based on FIPS 186-4 AppendixB2.2
+ // with fixed-length K.
+ //
+ // Please keep it here as we may need to switch to it in the future.
+ //
+ // SecureRandom random = getSigningRandom();
+ // byte[] kValue = new byte[(q.bitLength() + 7)/8];
+ // BigInteger d = q.subtract(BigInteger.TWO);
+ // BigInteger k;
+ // do {
+ // random.nextBytes(kValue);
+ // BigInteger c = new BigInteger(1, kValue);
+ // if (c.compareTo(d) <= 0) {
+ // k = c.add(BigInteger.ONE);
+ // // Using an equivalent exponent of fixed length to keep
+ // // the g^k timing relatively constant.
+ // //
+ // // Note that this is an extra step on top of the approach
+ // // defined in FIPS 186-4 AppendixB.2.2 so as to make a
+ // // fixed length K.
+ // if (k.bitLength() >= q.bitLength()) {
+ // break;
+ // }
+ // }
+ // } while (true);
+
+ return k;
}
// Use the application-specified SecureRandom Object if provided.