Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xds: not to use insecure DSA crypto #7347

Merged
merged 2 commits into from Aug 21, 2020
Merged

xds: not to use insecure DSA crypto #7347

merged 2 commits into from Aug 21, 2020

Conversation

dapengzhang0
Copy link
Member

Although DSA is only used in tests so it's totally no security concern, it's annoying we need some workaround for internal checks to import. So removing the usage.

@dapengzhang0
xds: not to use insecure DSA crypto
f8da86d 
Although DSA is only used in tests so it's totally no security concern, it's annoying we need some workaround for internal checks to import. So removing the usage.
sanjaypujare
sanjaypujare reviewed Aug 21, 2020
View reviewed changes
xds/src/test/java/io/grpc/xds/internal/certprovider/CommonCertProviderTestUtils.java
}
}
}
return KeyFactory.getInstance("RSA").generatePrivate(spec);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My suggestion was to only remove the "DSA" case if that was the offending line. So something like:

    try {
      return KeyFactory.getInstance("RSA").generatePrivate(spec);
    } catch (InvalidKeySpecException ignore) {
      try {
        return KeyFactory.getInstance("EC").generatePrivate(spec);
      } catch (InvalidKeySpecException ignore2) {
       throw new InvalidKeySpecException("Neither RSA, nor EC worked", e);
      }
    }

But if "EC" is also going to cause problems I am okay with this change. Could you confirm?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EC is not disallowed. I also removed EC because you said "it might be okay to remove both DSA and EC since none of the tests is using those AFAIK" So we can delete unused code, if we do have EC case later we can add it back.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I remember saying that but I was thinking we just make the minimal change necessary to unblock the import. Anyway we can add "EC" back if we ever need it (doubtful).

sanjaypujare
sanjaypujare approved these changes Aug 21, 2020
View reviewed changes
Copy link
Contributor

@sanjaypujare sanjaypujare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dapengzhang0 dapengzhang0 merged commit b8fe968 into master Aug 21, 2020
@dapengzhang0 dapengzhang0 deleted the dapengzhang0-patch-1 branch August 21, 2020 18:19
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sanjaypujare sanjaypujare sanjaypujare approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dapengzhang0 @sanjaypujare