AW: [PATCH]: Support for brainpool curves from CurveDB in SunEC

Tobias Wagner tobias.wagner at n-design.de
Fri Feb 9 12:38:09 UTC 2018


Hi Valerie,

these tests were initally meant for the new curves in SunEC, but the SunEC tests are using
the PKCS#11 tests. Even though I made these known answer tests for SunEC, I think it
might be a good idea not to limit them to SunEC but run them on tests using TestECDH with
any provider, which claims to support these curves. 

The supported/unsupported statements come from getSupportedECParameterSpec in PKCS11Test
and depend on the exception a provider throws. I moved that code to this method from the getKnowCurves
method, to check if one particular curve is available. So, yes, I think it lack of support in these providers,
and the log message depends on the exception type and the execptions message.

I executed the with an unpatched and a patched build of the OpenJDK. In both cases it was the SunEC provider.

The output for the unpatched reference build for sun.security.ec.TestEC using sun.security.pkcs11.ec.TestECDH:
...
>Running tests with SunEC provider...
>
>libsoftokn3 version = 3.16.  ECC Basic.
>Testing using parameters secp192r1 [NIST P-192, X9.62 prime192v1] (1.2.840.10045.3.1.1)...
>Testing using parameters sect163r2 [NIST B-163] (1.3.132.0.15)...
> brainpoolP256r1: Unsupported: Key Length: Unsupported curve: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
> brainpoolP320r1: Unsupported: Key Length: Unsupported curve: brainpoolP320r1 (1.3.36.3.3.2.8.1.1.9)
> brainpoolP384r1: Unsupported: Key Length: Unsupported curve: brainpoolP384r1 (1.3.36.3.3.2.8.1.1.11)
> brainpoolP512r1: Unsupported: Key Length: Unsupported curve: brainpoolP512r1 (1.3.36.3.3.2.8.1.1.13)
>OK
...

and for the patched build:
...
>Running tests with SunEC provider...
>
>libsoftokn3 version = 3.16.  ECC Basic.
>Testing using parameters secp192r1 [NIST P-192, X9.62 prime192v1] (1.2.840.10045.3.1.1)...
>Testing using parameters sect163r2 [NIST B-163] (1.3.132.0.15)...
> brainpoolP256r1: Supported
>Testing using parameters brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)...
> brainpoolP320r1: Supported
>Testing using parameters brainpoolP320r1 (1.3.36.3.3.2.8.1.1.9)...
> brainpoolP384r1: Supported
>Testing using parameters brainpoolP384r1 (1.3.36.3.3.2.8.1.1.11)...
> brainpoolP512r1: Supported
>Testing using parameters brainpoolP512r1 (1.3.36.3.3.2.8.1.1.13)...
>OK
...

When running sun.security.pkcs11.ec.TestECDH directly, I get the following:
...
>libsoftokn3 version = 3.16.  ECC Basic.
>Beginning test run TestECDH...
>Running test with provider SunPKCS11-NSS (security manager enabled) ...
>NSS only supports Basic ECC.  Skipping..
>Completed test with provider SunPKCS11-NSS (28 ms).
...

Regards,
Tobias

-----Ursprüngliche Nachricht-----
> Von:Valerie Peng <valerie.peng at oracle.com>
> Gesendet: Fre 9 Februar 2018 02:03
> An: Tobias Wagner <tobias.wagner at n-design.de>; security-dev at openjdk.java.net
> Betreff: Re: [PATCH]: Support for brainpool curves from CurveDB in SunEC
> 
> Hi Tobias,
> 
> Just curious, which PKCS11 library did you use to test your patch? After 
> I applied your patch and ran the regression tests, I noticed that both 
> the Solaris PKCS11 library and NSS skipped testing Brainpool curves with 
> different error codes which may be due to lack of support...
> 
> Regards,
> Valerie
> 


More information about the security-dev mailing list