Support for ECParameters with explicit (not named) parameter spec
Adam Petcher
adam.petcher at oracle.com
Wed Dec 6 19:38:35 UTC 2017
On 12/6/2017 11:39 AM, Max Fichtelmann wrote:
> We use a HSM to generate ECDSA Keys and are required to use the curve
> brainpoolP256r1.
>
> Although the HSM does not specifically support brainpool, it is
> possible to generate these keys by providing the specific Curve
> Parameters. These curve parameters are then saved in CKA_EC_PARAMS...
<snip>
> When using SunPKCS11 to load the KeyPair, ECParams is used with the
> value of CKA_EC_PARAMS which then fails.
>
> So there are not many options I see - either patching JDK or getting
> the HSM-Vendor to add support for brainpool...
I think this problem is pretty good motivation for enhancing this code
to support specified domain parameters. So if you are going to write
code to fix this, please consider submitting a patch.
There may be another way to fix this problem without patching the JDK.
You could develop (or locate) a JCA provider including an
AlgorithmParameters service for "EC" that has this desired
functionality. Install[1] this provider with a preference higher than
SunEC, and it will be used to decode the CKA_EC_PARAMS. But note that
this may also change other (unrelated) crypto behavior in your application.
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171206/2601d5d2/attachment.htm>
More information about the security-dev
mailing list