Mercurial > hg > icedtea7-forest > jdk
changeset 9106:b8985d1ff2b4
8168728: DSA signing improvments
Reviewed-by: xuelei
author | robm |
---|---|
date | Wed, 16 Nov 2016 15:12:50 +0000 |
parents | 335b0f280916 |
children | 897867b8dc84 |
files | src/share/classes/sun/security/provider/DSA.java |
diffstat | 1 files changed, 38 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/DSA.java Wed Nov 16 15:49:39 2016 +0000 +++ b/src/share/classes/sun/security/provider/DSA.java Wed Nov 16 15:12:50 2016 +0000 @@ -372,13 +372,49 @@ return t5.mod(q); } - // NOTE: This following impl is defined in FIPS 186-4 AppendixB.2.1. protected BigInteger generateK(BigInteger q) { + // Implementation defined in FIPS 186-4 AppendixB.2.1. SecureRandom random = getSigningRandom(); byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8]; random.nextBytes(kValue); - return new BigInteger(1, kValue).mod(q.subtract(BigInteger.ONE)).add(BigInteger.ONE); + BigInteger k = new BigInteger(1, kValue).mod( + q.subtract(BigInteger.ONE)).add(BigInteger.ONE); + + // Using an equivalent exponent of fixed length (same as q or 1 bit + // less than q) to keep the kG timing relatively constant. + // + // Note that this is an extra step on top of the approach defined in + // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K. + k = k.add(q).divide(BigInteger.valueOf(2)); + + // An alternative implementation based on FIPS 186-4 AppendixB2.2 + // with fixed-length K. + // + // Please keep it here as we may need to switch to it in the future. + // + // SecureRandom random = getSigningRandom(); + // byte[] kValue = new byte[(q.bitLength() + 7)/8]; + // BigInteger d = q.subtract(BigInteger.TWO); + // BigInteger k; + // do { + // random.nextBytes(kValue); + // BigInteger c = new BigInteger(1, kValue); + // if (c.compareTo(d) <= 0) { + // k = c.add(BigInteger.ONE); + // // Using an equivalent exponent of fixed length to keep + // // the g^k timing relatively constant. + // // + // // Note that this is an extra step on top of the approach + // // defined in FIPS 186-4 AppendixB.2.2 so as to make a + // // fixed length K. + // if (k.bitLength() >= q.bitLength()) { + // break; + // } + // } + // } while (true); + + return k; } // Use the application-specified SecureRandom Object if provided.