RFR 8182999: SunEC throws ProviderException on invalid curves

Adam Petcher adam.petcher at oracle.com
Wed Jul 12 14:51:05 UTC 2017 

I made a minor tweak to the test. I realized that the test will still 
pass if the curve becomes supported in the future. I want the test to 
fail in this case because it would no longer be testing an unsupported 
curve.

latest webrev: http://cr.openjdk.java.net/~apetcher/8182999/webrev.02/


On 7/12/2017 10:42 AM, Vincent Ryan wrote:
> Looks fine to me too.
>
> We should investigate how best to support similar behaviour for the 
> SunPKCS11 provider.
> To track this issue I’ve filed a related bug 8184290 
> <https://bugs.openjdk.java.net/browse/JDK-8184290>: SunPKCS11 throws 
> ProviderException for unsupported curves
>
>
>
>> On 10 Jul 2017, at 17:03, Seán Coffey <sean.coffey at oracle.com 
>> <mailto:sean.coffey at oracle.com>> wrote:
>>
>> Thanks for the update! Looks fine to me.
>>
>> Regards,
>> Sean.
>>
>> On 10/07/17 16:13, Adam Petcher wrote:
>>> New webrev: http://cr.openjdk.java.net/~apetcher/8182999/webrev.01/ 
>>> <http://cr.openjdk.java.net/%7Eapetcher/8182999/webrev.01/>
>>>
>>> Yes, this is a good idea. I made this work by printing out the value 
>>> from AlgorithmParameters.toString(), so hopefully that means you 
>>> should always get a useful string. At the moment (with SunEC 
>>> AlgorithmParameters), the string prints the friendly name followed 
>>> by the OID:
>>>
>>> Unsupported curve: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
>>>
>>> On 7/7/2017 4:12 PM, Seán Coffey wrote:
>>>> Adam,
>>>>
>>>> would it be useful to get the curve name in the new exception ? I 
>>>> think it would help with future debugging. Line 96 already gets the 
>>>> curve name if we're dealing with ECGenParameterSpec instance. I 
>>>> think the same approach could be applied to your new code.
>>>>
>>>> Regards,
>>>> Sean.
>>>>
>>>>
>>>> On 07/07/2017 19:59, Adam Petcher wrote:
>>>>> This is a bug fix related to invalid curves in the SunEC provider. 
>>>>> During ECKeyPairGenerator.initialize(), the provider only checks 
>>>>> whether the curve is known, but it doesn't check whether the curve 
>>>>> is actually supported by the native code. So the call to 
>>>>> generateKeyPair() can fail in the native code and throw a 
>>>>> ProviderException. This change adds a new native method to check 
>>>>> whether the curve is supported. This method is called by 
>>>>> initialize(), which will set the state to uninitialized and throw 
>>>>> the expected exception when the curve is not supported.
>>>>>
>>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8182999
>>>>> Webrev: http://cr.openjdk.java.net/~apetcher/8182999/webrev.00/ 
>>>>> <http://cr.openjdk.java.net/%7Eapetcher/8182999/webrev.00/>
>>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170712/83247ef6/attachment.html>

More information about the security-dev mailing list