RFR 8182999: SunEC throws ProviderException on invalid curves

Vincent Ryan vincent.x.ryan at oracle.com
Wed Jul 12 14:42:46 UTC 2017


Looks fine to me too.

We should investigate how best to support similar behaviour for the SunPKCS11 provider.
To track this issue I’ve filed a related bug 8184290 <https://bugs.openjdk.java.net/browse/JDK-8184290>: SunPKCS11 throws ProviderException for unsupported curves



> On 10 Jul 2017, at 17:03, Seán Coffey <sean.coffey at oracle.com> wrote:
> 
> Thanks for the update! Looks fine to me.
> 
> Regards,
> Sean.
> 
> On 10/07/17 16:13, Adam Petcher wrote:
>> New webrev: http://cr.openjdk.java.net/~apetcher/8182999/webrev.01/
>> 
>> Yes, this is a good idea. I made this work by printing out the value from AlgorithmParameters.toString(), so hopefully that means you should always get a useful string. At the moment (with SunEC AlgorithmParameters), the string prints the friendly name followed by the OID:
>> 
>> Unsupported curve: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
>> 
>> On 7/7/2017 4:12 PM, Seán Coffey wrote:
>>> Adam,
>>> 
>>> would it be useful to get the curve name in the new exception ? I think it would help with future debugging. Line 96 already gets the curve name if we're dealing with ECGenParameterSpec instance. I think the same approach could be applied to your new code.
>>> 
>>> Regards,
>>> Sean.
>>> 
>>> 
>>> On 07/07/2017 19:59, Adam Petcher wrote:
>>>> This is a bug fix related to invalid curves in the SunEC provider. During ECKeyPairGenerator.initialize(), the provider only checks whether the curve is known, but it doesn't check whether the curve is actually supported by the native code. So the call to generateKeyPair() can fail in the native code and throw a ProviderException. This change adds a new native method to check whether the curve is supported. This method is called by initialize(), which will set the state to uninitialized and throw the expected exception when the curve is not supported.
>>>> 
>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8182999
>>>> Webrev: http://cr.openjdk.java.net/~apetcher/8182999/webrev.00/
>>>> 
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170712/684f36c0/attachment.html>


More information about the security-dev mailing list