7054637 closed/lib/security/cacerts/VerifyCACerts.java failed on solaris 11
Michael StJohns
mstjohns at comcast.net
Thu Sep 22 22:18:57 UTC 2011
Hi Vincent -
Sorry - it took me a few days to look at this. I can't support it.
I think this the wrong way to do things - specifically the dependence on the presence of a PKCS11 attribute in the Vendor space.
You've got a value in PKCS11Constants
+ /* Only the raw encoding for an EC point is supported */
+ public static final long CKA_ENABLE_RAW_EC_POINT = (CKA_VENDOR_DEFINED | 1);
+
The problem is that this has a pretty good chance of colliding with an actual vendor defined value. For example, Utimaco has CKA_ATTRIBUTE_LIST 0x80000001 (same as CKA_VENDOR_DEFINED | 1).
Instead, use the attribute list of the provider configuration. You'll have to mod sun.security.pkcs11.Config.java - but you won't have the changes in either PKCS11Constants or Functions that are currently there.
The problem should be provider wide and not need a per-token config item.
So the config file gets instead:
useEcX963Encoding=true around line 13 of the .cfg file.
Config.java sets the boolean useEcX963Encoding.
P11ECKeyFactory.java checks "token.config.useEcX963Encoding".
Avoid the use of the term "raw" please - that got us into a number of problems when revising PKCS11. It actually tends to mean just the concatenation of the X and Y points without a format identifier which is not what you mean here according to PKCS11. X9.63 encoding is 1 octet of format identifier - generally 04 for uncompressed - and 2N bytes of X and Y. ECPoint (as defined in PKCS11) is the X9.63 encoding wrapped in an ASN1 OctetString.
Thanks! Mike
At 02:17 PM 9/14/2011, Vincent Ryan wrote:
>Please review the following fix to the SunPKCS11 JCE provider:
>
>http://cr.openjdk.java.net/~vinnie/7054637/webrev.00/
>
>The problem is that some older PKCS11 tokens support only the raw encoding for
>EC point in Elliptic Curve public keys. This fix introduces a configuration
>attribute that controls whether the raw-encoding or DER-encoding shall be used.
>
>It aids interoperability between older and newer PKCS11 tokens.
>
>Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20110922/bf500b0b/attachment.htm>
More information about the security-dev
mailing list