[PATCH]: Support for brainpool curves from CurveDB in SunEC

Fri Dec 15 16:31:54 UTC 2017

Hi,

in our current project, we have the requirement to support brainpool curves for TLS connections (RFC 7027).

As part of this requirement, we introduced the brainpoolP*r1 curves to SunEC, as they are already known in sun.security.util.CurveDB. It does not introduce the twisted curves from RFC 5639. We want to share this patch, hoping it might be useful for others. Especially for public funded projects (e.g. health care or eID) in Europe, the use or at least support for these curves is often mandatory.

The attached patch adds the domain parameters for

* brainpoolP160r1 (1.3.36.3.3.2.8.1.1.1)
* brainpoolP192r1 (1.3.36.3.3.2.8.1.1.3)
* brainpoolP224r1 (1.3.36.3.3.2.8.1.1.5)
* brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
* brainpoolP320r1 (1.3.36.3.3.2.8.1.1.9)
* brainpoolP384r1 (1.3.36.3.3.2.8.1.1.11)
* brainpoolP512r1 (1.3.36.3.3.2.8.1.1.13)

and makes them available in the same manner the other curves are available. It does not introduce new ECC algorithmics. Our understanding of legal issues around ECC is, that they are related to deployed algorithmics not on certain domain parameters.

Even though IANA has only assigned numbers for the 256, 384 and 512 bit r-curves, we still need to add all r-curves to prevent errors in the native part of SunEC, when requesting calculations on one of the other curves.

Relation to other bugs:
https://bugs.openjdk.java.net/browse/JDK-7007966 - Our patch might be a partial solution for that bug. However, it asks for support for all brainpool curves, this patch leaves out the twisted curves. Furthermore the patch presented there seems to be on a quite different code base.

https://bugs.openjdk.java.net/browse/JDK-8189594 - The error in the optimized ECC field arithmetic will definitively interfere with brainpoolP320r1 (5 word optimized methods) and brainpoolP384r1 (6 word optimized methods). I already provided a patch for that issue: http://mail.openjdk.java.net/pipermail/security-dev/2017-October/016407.html

Tests:
There are already tests in TestEC: This patch will switch the brainpool curves from unsupported to supported and the subsequent tests are as well executed with the brainpool curves. Without JDK-8189594, these tests eventually fail, when it comes to brainpoolP320r1. With the patch from JDK-8189594, all tests are executed and pass.

Tested platforms:

* Windows
* Linux
* macOS X

Unfortunately no Solaris, as we do not have such a machine at our disposal. It would be great, if someone could sponsor this patch and help with that.

Regards
Tobias

P.S.

We have another patch, which adds the three brainpool curves with IANA numbers to the sun.security.ssl.EllipticCurveExtension. This enables these curves in SunJSSE for TLS connections. We did not include that part here, as we did not want to mix two parts of the JDK in one patch. It also needs a more handy test than a shellscript using OpenSSL.

-- 
phone: +49 221 222896 17
fax: +49 221 222896 11

n - d e s i g n   G m b H 
www.n-design.de
Alpenerstr. 16
D-50825 Köln

Amtsgericht Köln HRB 33766 B
Geschäftsführer Andy Kohl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openjdk_jdk9_jdk_17288.patch
Type: application/octet-stream
Size: 13259 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171215/2eec5bd2/openjdk_jdk9_jdk_17288.patch>