[Bug 2390] [IcedTea7] Make elliptic curve removal optional
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Tue Mar 1 20:35:10 UTC 2016
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2390
--- Comment #13 from Andrew John Hughes <gnu.andrew at redhat.com> ---
There's this for the user obtaining the curves:
https://bugs.openjdk.java.net/browse/JDK-8080704
which is an issue too, but I think the one we're discussing here is how the JDK
interfaces, providers and SSL implementation work together. At present, the SSL
code, the JDK EC interfaces and the providers all have their own list of
supported curves, which is why we've ended up with these patches to amend the
first two of those to fit with the providers we've used. In the process, that's
caused problems with providers that do support more curves.
Looking through the code, it may be possible to fix that without an API change.
The SunEC provider already exposes its curves via a property:
jdk9/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java: //
"AlgorithmParameters.EC SupportedCurves" prop used by unit test
but it's not used anywhere inside the JDK code.
I think, as a minimum, we could:
1. Make SSL obtain the curve list from the provider
2. Populate the curve database from the provider, not vice versa.
and I can work on a patch for that. That could hopefully allow PKCS11 to list
more curves than SunEC, though at the moment the PKCS11 provider doesn't appear
to report the supported curves at all.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20160301/43d5e304/attachment.html>
More information about the distro-pkg-dev
mailing list