[security-dev 00551]: Re: ECC pkcs#11 bug

Thu Feb 5 19:34:49 UTC 2009

Hi Lars,

I was hoping that Vincent Ryan had already contacted you about this.

I got redirected from ECC to work on the OpenJDK Bugzilla instance, 
which is rolling out very soon.  Vincent took over the ECC work late 
last year along with your submission.  The short answer is, between a 
lengthy customer escalation and bugzilla, I've been so heads down for 
the last 4 months, I'm not sure how far he's gotten.

Vinnie, can you provide more info?

Brad

Lars Silvén wrote:
> Brad,
> 
> Any news about the p11 ECC bug.
> 
> When will it be fixed?
> 
> 
> Best Regards,
> Lars
> 
> 
> 
> Lars Silvén wrote:
>> Hello,
>>
>> Thank you for taking care of this.
>> We want this fix in both JDK 6 and 7. I like to know the release date for the
>> fix in both versions if possible.
>>
>> Lars
>>
>> Brad Wetmore wrote:
>>> Lars Silvén wrote:
>>>> Hi Brad,
>>>>
>>>> Do you have everything you need to fix the bug.
>>> I believe so.  I haven't started looking at it closely yet, I'm still
>>> mopping up several fires.  Unfortunately, I'm the chef, busboy, and
>>> bottle washer for several projects here.
>>>
>>>> Or is there anything more I could do to help.
>>>>
>>>> I have now also tested the nCipher HSM. To get their p11 working my
>>>> patch had to be applied.
>>>>
>>>> Do you have any idea when we the fix could be released?
>>> Are you looking for JDK7, or 6?
>>>
>>> Brad
>>>
>>>> Best Regards
>>>>
>>>> Brad Wetmore wrote:
>>>>> Lars Silvén wrote:
>>>>>> Hi Brad,
>>>>>>
>>>>>> I have written a simple application that illustrates the problem:
>>>>>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java
>>>>>>
>>>>>> But you need a p11 module with ECC capability to run it. Do you have
>>>>>> one?
>>>>> Yes.
>>>>>
>>>>>> If not I could investigate if one of our HSM vendors could send you
>>>>>> one.
>>>>>> Also to verify that the public key actually is usable a JCA provider
>>>>>> with ECC is needed.
>>>>> I'm going to be working on adding ECC to the JCE provider for JDK 7.
>>>>>
>>>>> Thanks for the case.
>>>>>
>>>>> Brad
>>>>>
>>>>>
>>>>>  But for that you could use BouncyCastle.
>>>>>> Start running the application without parameters and then you get a
>>>>>> description of needed parameters.
>>>>>>
>>>>>> Lars
>>>>>>
>>>>>>
>>>>>> Brad Wetmore wrote:
>>>>>>> Great, thanks for doing so.
>>>>>>>
>>>>>>> I'll be working on this fairly soon, so I'll get a bug filed.  Do you
>>>>>>> have a standalone test case for this already?  See step 3 of the
>>>>>>> contribute page.  If you do but you don't have it in jtreg format,
>>>>>>> I can
>>>>>>> get it into the jtreg format.
>>>>>>>
>>>>>>> Brad
>>>>>>>
>>>>>>>
>>>>>>> Lars Silvén wrote:
>>>>>>>> Here is my SCA!
>>>>>>>>
>>>>>>>> //Lars
>>>>>>>>
>>>>>>>>
>>>>>>>> Brad Wetmore wrote:
>>>>>>>>> Hi Lars,
>>>>>>>>>
>>>>>>>>>> I have created a patch that is fixing the problem:
>>>>>>>>> This is Brad Wetmore, I am the Security group Moderator, and also
>>>>>>>>> the
>>>>>>>>> person who will be handling this when I get back to working on the
>>>>>>>>> Java
>>>>>>>>> ECC implementation.
>>>>>>>>>
>>>>>>>>> Unfortunately, I can't take your source contribution yet without a
>>>>>>>>> signed copy of the Sun Contribution Agreement in place.  This is
>>>>>>>>> done
>>>>>>>>> for your protection as well as the Sun's and the OpenJDK
>>>>>>>>> community's.
>>>>>>>>>
>>>>>>>>> Please see the following link for more information:
>>>>>>>>>
>>>>>>>>>     http://openjdk.java.net/contribute/
>>>>>>>>>
>>>>>>>>> The Signatories of the SCA are eligible to donate code to all
>>>>>>>>> products
>>>>>>>>> and projects owned or managed by Sun:  signing it once means you can
>>>>>>>>> contribute code to any Sun-sponsored open source project.
>>>>>>>>>
>>>>>>>>> If you have recently signed it and it hasn't yet appeared in our
>>>>>>>>> database yet, just let me know.
>>>>>>>>>
>>>>>>>>> Discussions of the problem is fine, it's just the source that we
>>>>>>>>> can't
>>>>>>>>> take at this point.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Brad
>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>>