[security-dev 01275]: Re: ECC pkcs#11 bug]

Tomas Gustavsson tomas at primekey.se
Mon Oct 5 13:46:18 UTC 2009


Hi Vincent and Brad,

I'm not sure how things are at Sun currently. We work with Sun here in
Sweden so we've heard a bit about wait with the Oracle story.

Anyhow I just want to let you know that if anyone is still working on
crypto that this bug is very annoying, and affect all existing HSMs as
far as I can see. ECC is rolling out pretty wide in europe now with new
electronic passports and other ecc cards.
So getting this fixed would be quite welcome, it's a small fix. I've
tested it on SafeNet HSMs myself right now.


Kind regards,
Tomas Gustavsson
PrimeKey Solutions AB


Lars Silvén wrote:
> -------- Forwarded Message --------
> From: Brad Wetmore <Bradford.Wetmore at Sun.COM>
> To: Lars Silvén <lars at primekey.se>
> Cc: security-dev at openjdk.java.net, Vinnie Ryan <Vincent.Ryan at Sun.COM>
> Subject: Re: [security-dev 00550]: Re: ECC pkcs#11 bug
> Date: Thu, 05 Feb 2009 11:34:49 -0800
> 
> Hi Lars,
> 
> I was hoping that Vincent Ryan had already contacted you about this.
> 
> I got redirected from ECC to work on the OpenJDK Bugzilla instance, 
> which is rolling out very soon.  Vincent took over the ECC work late 
> last year along with your submission.  The short answer is, between a 
> lengthy customer escalation and bugzilla, I've been so heads down for 
> the last 4 months, I'm not sure how far he's gotten.
> 
> Vinnie, can you provide more info?
> 
> Brad
> 
> 
> Lars Silvén wrote:
>> Brad,
>>
>> Any news about the p11 ECC bug.
>>
>> When will it be fixed?
>>
>>
>> Best Regards,
>> Lars
>>
>>
>>
>> Lars Silvén wrote:
>>> Hello,
>>>
>>> Thank you for taking care of this.
>>> We want this fix in both JDK 6 and 7. I like to know the release date for the
>>> fix in both versions if possible.
>>>
>>> Lars
>>>
>>> Brad Wetmore wrote:
>>>> Lars Silvén wrote:
>>>>> Hi Brad,
>>>>>
>>>>> Do you have everything you need to fix the bug.
>>>> I believe so.  I haven't started looking at it closely yet, I'm still
>>>> mopping up several fires.  Unfortunately, I'm the chef, busboy, and
>>>> bottle washer for several projects here.
>>>>
>>>>> Or is there anything more I could do to help.
>>>>>
>>>>> I have now also tested the nCipher HSM. To get their p11 working my
>>>>> patch had to be applied.
>>>>>
>>>>> Do you have any idea when we the fix could be released?
>>>> Are you looking for JDK7, or 6?
>>>>
>>>> Brad
>>>>
>>>>> Best Regards
>>>>>
>>>>> Brad Wetmore wrote:
>>>>>> Lars Silvén wrote:
>>>>>>> Hi Brad,
>>>>>>>
>>>>>>> I have written a simple application that illustrates the problem:
>>>>>>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java
>>>>>>>
>>>>>>> But you need a p11 module with ECC capability to run it. Do you have
>>>>>>> one?
>>>>>> Yes.
>>>>>>
>>>>>>> If not I could investigate if one of our HSM vendors could send you
>>>>>>> one.
>>>>>>> Also to verify that the public key actually is usable a JCA provider
>>>>>>> with ECC is needed.
>>>>>> I'm going to be working on adding ECC to the JCE provider for JDK 7.
>>>>>>
>>>>>> Thanks for the case.
>>>>>>
>>>>>> Brad
>>>>>>
>>>>>>
>>>>>>  But for that you could use BouncyCastle.
>>>>>>> Start running the application without parameters and then you get a
>>>>>>> description of needed parameters.
>>>>>>>
>>>>>>> Lars
>>>>>>>
>>>>>>>
>>>>>>> Brad Wetmore wrote:
>>>>>>>> Great, thanks for doing so.
>>>>>>>>
>>>>>>>> I'll be working on this fairly soon, so I'll get a bug filed.  Do you
>>>>>>>> have a standalone test case for this already?  See step 3 of the
>>>>>>>> contribute page.  If you do but you don't have it in jtreg format,
>>>>>>>> I can
>>>>>>>> get it into the jtreg format.
>>>>>>>>
>>>>>>>> Brad
>>>>>>>>
>>>>>>>>
>>>>>>>> Lars Silvén wrote:
>>>>>>>>> Here is my SCA!
>>>>>>>>>
>>>>>>>>> //Lars
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Brad Wetmore wrote:
>>>>>>>>>> Hi Lars,
>>>>>>>>>>
>>>>>>>>>>> I have created a patch that is fixing the problem:
>>>>>>>>>> This is Brad Wetmore, I am the Security group Moderator, and also
>>>>>>>>>> the
>>>>>>>>>> person who will be handling this when I get back to working on the
>>>>>>>>>> Java
>>>>>>>>>> ECC implementation.
>>>>>>>>>>
>>>>>>>>>> Unfortunately, I can't take your source contribution yet without a
>>>>>>>>>> signed copy of the Sun Contribution Agreement in place.  This is
>>>>>>>>>> done
>>>>>>>>>> for your protection as well as the Sun's and the OpenJDK
>>>>>>>>>> community's.
>>>>>>>>>>
>>>>>>>>>> Please see the following link for more information:
>>>>>>>>>>
>>>>>>>>>>     http://openjdk.java.net/contribute/
>>>>>>>>>>
>>>>>>>>>> The Signatories of the SCA are eligible to donate code to all
>>>>>>>>>> products
>>>>>>>>>> and projects owned or managed by Sun:  signing it once means you can
>>>>>>>>>> contribute code to any Sun-sponsored open source project.
>>>>>>>>>>
>>>>>>>>>> If you have recently signed it and it hasn't yet appeared in our
>>>>>>>>>> database yet, just let me know.
>>>>>>>>>>
>>>>>>>>>> Discussions of the problem is fine, it's just the source that we
>>>>>>>>>> can't
>>>>>>>>>> take at this point.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Brad
>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>



More information about the security-dev mailing list