JDK-6676054 : Java provider SunPKCS11-Solaris doesn't support KeyPairGenerator with DSA alg. for solaris 10 11
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 6u6,6u12
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • OS: solaris_10
  • CPU: generic,sparc
  • Submitted: 2008-03-17
  • Updated: 2012-03-22
  • Resolved: 2009-08-27
Related Reports
Relates :  
JDK-5001004 - Required Security Algorithms need to be defined
Description
JCK: JCK-runtime-6b b18
J2SE: FAIL - since FCS. Not a regression; was not found before because the test is new.
Platform[s]: FAIL -  Solaris 10/11 
	     PASS - Solaris 8 and 9
switch/Mode: FAIL - default

Test api/java_security/interfaces/DSAKeyPairGenerator/InitializeTests fails on solaris 10 and 11 but passes on Solaris 8 and 9. The problem is the test tries to create KeyPairGenerator for every security provider registered in the system. For SunPKCS11-Solaris KeyPAirGenerator.getInstance throws NoSuchAlgorithmException.

According to the following references:
http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGenerator
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG

DSA should be supported for PKCS#11 security provider.

Steps to reproduce:

run the following code on solaris 10 or 11:

import java.security.KeyPairGenerator;

public class Test {

    public static void main(String argv[]) {
	try{
		KeyPairGenerator.getInstance("DSA","SunPKCS11-Solaris");
	}catch (Exception e)
	{
	 	e.printStackTrace();
	}
    }

}
Comments
EVALUATION Due to the forementioned backward compatibility concern, I don't think we can change the default configuration to enable DSA. Given that there are other crypto providers in JDK supporting DSA by default, I don't think this is a conformance issue or an violation of J2SE implementation requirements since DSA support is required per J2SE implementation and not per crypto provider. Thus, I am going to close this as "Not a Defect" - DSA KeyPairGenerator is supported by SunPKCS11-Solaris provider; it's disabled by default out of concerns for backward compatibility but can be enabled by changing the provider configuration file. The failed tests should be updated to skip SunPKCS11-Solaris provider for DSA key pair generation.
27-08-2009
EVALUATION Solaris Crytpo Framework (and its providers underneath) does support DSA. However, due to a requirement on Java side, e.g. the API (DSAKeyPairGenerator interface) allows user to specify a boolean parameter for whether to reuse existing (vs generate new) parameters, SunPKCS11 provider choose to disable DSA key pair generation by default since there is no such parameter in native API. Out of concerns of compatibility with apps depending on such behavior, this bridge to native DSA key pair generator impl is *DISABLED BY DEFAULT*.
14-05-2008