7054637 closed/lib/security/cacerts/VerifyCACerts.java failed on solaris 11

Michael StJohns mstjohns at comcast.net
Thu Sep 22 15:18:57 PDT 2011

Hi Vincent - 

Sorry - it took me a few days to look at this.  I can't support it.

I think this the wrong way to do things - specifically the dependence on the presence of a PKCS11 attribute in the Vendor space.  

You've got a value in PKCS11Constants  

+    /* Only the raw encoding for an EC point is supported */
+    public static final long CKA_ENABLE_RAW_EC_POINT = (CKA_VENDOR_DEFINED | 1);

The problem is that this has a pretty good chance of colliding with an actual vendor defined value.  For example,  Utimaco has CKA_ATTRIBUTE_LIST  0x80000001 (same as CKA_VENDOR_DEFINED | 1).

Instead, use the attribute list of the provider configuration.  You'll have to mod sun.security.pkcs11.Config.java - but you won't have the changes in either PKCS11Constants or Functions that are currently there.

The problem should be provider wide and not need a per-token config item.

So the config file gets instead:

useEcX963Encoding=true around line 13 of the .cfg file.

Config.java sets the boolean useEcX963Encoding.

P11ECKeyFactory.java checks "token.config.useEcX963Encoding".

Avoid the use of the term "raw" please - that got us into a number of problems when revising PKCS11.  It actually tends to mean just the concatenation of the X and Y points without a format identifier which is not what you mean here according to PKCS11.  X9.63 encoding is 1 octet of format identifier - generally 04 for uncompressed - and 2N bytes of X and Y.   ECPoint (as defined in PKCS11) is the X9.63 encoding wrapped in an ASN1 OctetString.

Thanks! Mike

At 02:17 PM 9/14/2011, Vincent Ryan wrote:
>Please review the following fix to the SunPKCS11 JCE provider:
>The problem is that some older PKCS11 tokens support only the raw encoding for
>EC point in Elliptic Curve public keys. This fix introduces a configuration
>attribute that controls whether the raw-encoding or DER-encoding shall be used.
>It aids interoperability between older and newer PKCS11 tokens.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20110922/bf500b0b/attachment.html 

More information about the security-dev mailing list