[security-dev 01277]: Re: ECC pkcs#11 bug]

Andrew John Hughes gnu_andrew at member.fsf.org
Tue Oct 6 02:24:17 PDT 2009


2009/10/5 Tomas Gustavsson <tomas at primekey.se>:
>
> Hi Vincent and Brad,
>
> I'm not sure how things are at Sun currently. We work with Sun here in
> Sweden so we've heard a bit about wait with the Oracle story.
>
> Anyhow I just want to let you know that if anyone is still working on
> crypto that this bug is very annoying, and affect all existing HSMs as
> far as I can see. ECC is rolling out pretty wide in europe now with new
> electronic passports and other ecc cards.
> So getting this fixed would be quite welcome, it's a small fix. I've
> tested it on SafeNet HSMs myself right now.
>
>
> Kind regards,
> Tomas Gustavsson
> PrimeKey Solutions AB
>
>
> Lars Silvén wrote:
>> -------- Forwarded Message --------
>> From: Brad Wetmore <Bradford.Wetmore at Sun.COM>
>> To: Lars Silvén <lars at primekey.se>
>> Cc: security-dev at openjdk.java.net, Vinnie Ryan <Vincent.Ryan at Sun.COM>
>> Subject: Re: [security-dev 00550]: Re: ECC pkcs#11 bug
>> Date: Thu, 05 Feb 2009 11:34:49 -0800
>>
>> Hi Lars,
>>
>> I was hoping that Vincent Ryan had already contacted you about this.
>>
>> I got redirected from ECC to work on the OpenJDK Bugzilla instance,
>> which is rolling out very soon.  Vincent took over the ECC work late
>> last year along with your submission.  The short answer is, between a
>> lengthy customer escalation and bugzilla, I've been so heads down for
>> the last 4 months, I'm not sure how far he's gotten.
>>
>> Vinnie, can you provide more info?
>>
>> Brad
>>
>>
>> Lars Silvén wrote:
>>> Brad,
>>>
>>> Any news about the p11 ECC bug.
>>>
>>> When will it be fixed?
>>>
>>>
>>> Best Regards,
>>> Lars
>>>
>>>
>>>
>>> Lars Silvén wrote:
>>>> Hello,
>>>>
>>>> Thank you for taking care of this.
>>>> We want this fix in both JDK 6 and 7. I like to know the release date for the
>>>> fix in both versions if possible.
>>>>
>>>> Lars
>>>>
>>>> Brad Wetmore wrote:
>>>>> Lars Silvén wrote:
>>>>>> Hi Brad,
>>>>>>
>>>>>> Do you have everything you need to fix the bug.
>>>>> I believe so.  I haven't started looking at it closely yet, I'm still
>>>>> mopping up several fires.  Unfortunately, I'm the chef, busboy, and
>>>>> bottle washer for several projects here.
>>>>>
>>>>>> Or is there anything more I could do to help.
>>>>>>
>>>>>> I have now also tested the nCipher HSM. To get their p11 working my
>>>>>> patch had to be applied.
>>>>>>
>>>>>> Do you have any idea when we the fix could be released?
>>>>> Are you looking for JDK7, or 6?
>>>>>
>>>>> Brad
>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> Brad Wetmore wrote:
>>>>>>> Lars Silvén wrote:
>>>>>>>> Hi Brad,
>>>>>>>>
>>>>>>>> I have written a simple application that illustrates the problem:
>>>>>>>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java
>>>>>>>>
>>>>>>>> But you need a p11 module with ECC capability to run it. Do you have
>>>>>>>> one?
>>>>>>> Yes.
>>>>>>>
>>>>>>>> If not I could investigate if one of our HSM vendors could send you
>>>>>>>> one.
>>>>>>>> Also to verify that the public key actually is usable a JCA provider
>>>>>>>> with ECC is needed.
>>>>>>> I'm going to be working on adding ECC to the JCE provider for JDK 7.
>>>>>>>
>>>>>>> Thanks for the case.
>>>>>>>
>>>>>>> Brad
>>>>>>>
>>>>>>>
>>>>>>>  But for that you could use BouncyCastle.
>>>>>>>> Start running the application without parameters and then you get a
>>>>>>>> description of needed parameters.
>>>>>>>>
>>>>>>>> Lars
>>>>>>>>
>>>>>>>>
>>>>>>>> Brad Wetmore wrote:
>>>>>>>>> Great, thanks for doing so.
>>>>>>>>>
>>>>>>>>> I'll be working on this fairly soon, so I'll get a bug filed.  Do you
>>>>>>>>> have a standalone test case for this already?  See step 3 of the
>>>>>>>>> contribute page.  If you do but you don't have it in jtreg format,
>>>>>>>>> I can
>>>>>>>>> get it into the jtreg format.
>>>>>>>>>
>>>>>>>>> Brad
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Lars Silvén wrote:
>>>>>>>>>> Here is my SCA!
>>>>>>>>>>
>>>>>>>>>> //Lars
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Brad Wetmore wrote:
>>>>>>>>>>> Hi Lars,
>>>>>>>>>>>
>>>>>>>>>>>> I have created a patch that is fixing the problem:
>>>>>>>>>>> This is Brad Wetmore, I am the Security group Moderator, and also
>>>>>>>>>>> the
>>>>>>>>>>> person who will be handling this when I get back to working on the
>>>>>>>>>>> Java
>>>>>>>>>>> ECC implementation.
>>>>>>>>>>>
>>>>>>>>>>> Unfortunately, I can't take your source contribution yet without a
>>>>>>>>>>> signed copy of the Sun Contribution Agreement in place.  This is
>>>>>>>>>>> done
>>>>>>>>>>> for your protection as well as the Sun's and the OpenJDK
>>>>>>>>>>> community's.
>>>>>>>>>>>
>>>>>>>>>>> Please see the following link for more information:
>>>>>>>>>>>
>>>>>>>>>>>     http://openjdk.java.net/contribute/
>>>>>>>>>>>
>>>>>>>>>>> The Signatories of the SCA are eligible to donate code to all
>>>>>>>>>>> products
>>>>>>>>>>> and projects owned or managed by Sun:  signing it once means you can
>>>>>>>>>>> contribute code to any Sun-sponsored open source project.
>>>>>>>>>>>
>>>>>>>>>>> If you have recently signed it and it hasn't yet appeared in our
>>>>>>>>>>> database yet, just let me know.
>>>>>>>>>>>
>>>>>>>>>>> Discussions of the problem is fine, it's just the source that we
>>>>>>>>>>> can't
>>>>>>>>>>> take at this point.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Brad
>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>

What bug are we discussing here? I don't see any patch or bug ID.
-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8



More information about the security-dev mailing list