8138653: Default key sizes for the AlgorithmParameterGenerator and KeyPairGenerator implementations should be upgraded
Reviewed-by: coffeys, vinnie
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -43,7 +43,7 @@
* <li>By providing the size in bits of the prime modulus -
* This will be used to create a prime modulus and base generator, which will
* then be used to create the Diffie-Hellman key pair. The default size of the
- * prime modulus is 1024 bits.
+ * prime modulus is 2048 bits.
* <li>By providing a prime modulus and base generator
* </ul>
*
@@ -68,7 +68,7 @@
public DHKeyPairGenerator() {
super();
- initialize(1024, null);
+ initialize(2048, null);
}
/**
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@
*
* <p>The Diffie-Hellman parameter generation accepts the size in bits of the
* prime modulus and the size in bits of the random exponent as input.
- * The size of the prime modulus defaults to 1024 bits.
+ * The size of the prime modulus defaults to 2048 bits.
*
* @author Jan Luehe
*
@@ -50,7 +50,7 @@
extends AlgorithmParameterGeneratorSpi {
// The size in bits of the prime modulus
- private int primeSize = 1024;
+ private int primeSize = 2048;
// The size in bits of the random exponent (private value)
private int exponentSize = 0;
--- a/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -71,7 +71,7 @@
* associated with each of the keys.
*
* <p>If the algorithm is the <i>DSA</i> algorithm, and the keysize (modulus
- * size) is 512, 768, or 1024, then the <i>Sun</i> provider uses a set of
+ * size) is 512, 768, 1024, or 2048, then the <i>Sun</i> provider uses a set of
* precomputed values for the {@code p}, {@code q}, and
* {@code g} parameters. If the modulus size is not one of the above
* values, the <i>Sun</i> provider creates a new set of parameters. Other
@@ -96,7 +96,7 @@
* (via a call to an {@code initialize} method), each provider must
* supply (and document) a default initialization.
* For example, the <i>Sun</i> provider uses a default modulus size (keysize)
- * of 1024 bits.
+ * of 1024 bits for DSA key pairs.
*
* <p>Note that this class is abstract and extends from
* {@code KeyPairGeneratorSpi} for historical reasons.
--- a/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -55,7 +55,7 @@
public RSAKeyPairGenerator() {
// initialize to default in case the app does not call initialize()
- initialize(1024, null);
+ initialize(2048, null);
}
// initialize the generator. See JCA doc
--- a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -46,7 +46,7 @@
// Supported by Microsoft Base, Strong and Enhanced Cryptographic Providers
static final int KEY_SIZE_MIN = 512; // disallow MSCAPI min. of 384
static final int KEY_SIZE_MAX = 16384;
- private static final int KEY_SIZE_DEFAULT = 1024;
+ private static final int KEY_SIZE_DEFAULT = 2048;
// size of the key to generate, KEY_SIZE_MIN <= keySize <= KEY_SIZE_MAX
private int keySize;
--- a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/SunMSCAPI.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/SunMSCAPI.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -182,7 +182,7 @@
* Key Pair Generator engines
*/
attrs.clear();
- attrs.put("KeySize", "1024");
+ attrs.put("KeySize", "16384");
putService(new ProviderService(p, "KeyPairGenerator",
"RSA", "sun.security.mscapi.RSAKeyPairGenerator",
null, attrs));
--- a/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -106,8 +106,15 @@
maxKeyLen = 2048;
}
} else {
- // RSA, DH, and DSA
- keySize = 1024;
+ if (algorithm.equals("DSA")) {
+ // keep default keysize at 1024 since larger keysizes may be
+ // incompatible with SHA1withDSA and SHA-2 Signature algs
+ // may not be supported by native pkcs11 implementations
+ keySize = 1024;
+ } else {
+ // RSA and DH
+ keySize = 2048;
+ }
if ((minKeyLen == -1) || (minKeyLen < 512)) {
minKeyLen = 512;
}
--- a/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java Mon Mar 07 10:10:04 2016 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -83,10 +83,10 @@
KeyPair kp;
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH", "SunJCE");
- // Sun's default uses a default psize of 1024 and
+ // Sun's default uses a default psize of 2048 and
// lsize of (pSize / 2) but at least 384 bits
kp = kpg.generateKeyPair();
- checkKeyPair(kp, Sizes.ten24, Sizes.five12);
+ checkKeyPair(kp, Sizes.twenty48, Sizes.ten24);
DHPublicKey publicKey = (DHPublicKey)kp.getPublic();
BigInteger p = publicKey.getParams().getP();
@@ -98,15 +98,15 @@
kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
kp = kpg.generateKeyPair();
- checkKeyPair(kp, Sizes.ten24, Sizes.ten24);
+ checkKeyPair(kp, Sizes.twenty48, Sizes.ten24);
kpg.initialize(new DHParameterSpec(p, g, Sizes.five12.getIntSize()));
kp = kpg.generateKeyPair();
- checkKeyPair(kp, Sizes.ten24, Sizes.five12);
+ checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
kpg.initialize(new DHParameterSpec(p, g, Sizes.two56.getIntSize()));
kp = kpg.generateKeyPair();
- checkKeyPair(kp, Sizes.ten24, Sizes.two56);
+ checkKeyPair(kp, Sizes.twenty48, Sizes.two56);
kpg.initialize(Sizes.five12.getIntSize());
kp = kpg.generateKeyPair();
--- a/jdk/test/sun/security/pkcs11/PKCS11Test.java Sat Mar 05 10:34:06 2016 +0800
+++ b/jdk/test/sun/security/pkcs11/PKCS11Test.java Mon Mar 07 10:10:04 2016 -0500
@@ -380,7 +380,9 @@
}
static double getNSSInfo(String library) {
- String nssHeader = "$Header: NSS";
+ // look for two types of headers in NSS libraries
+ String nssHeader1 = "$Header: NSS";
+ String nssHeader2 = "Version: NSS";
boolean found = false;
String s = null;
int i = 0;
@@ -408,7 +410,8 @@
}
s = new String(data, 0, read);
- if ((i = s.indexOf(nssHeader)) > 0) {
+ i = s.indexOf(nssHeader1);
+ if (i > 0 || (i = s.indexOf(nssHeader2)) > 0) {
found = true;
// If the nssHeader is before 920 we can break, otherwise
// we may not have the whole header so do another read. If