RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)"

Bernd Eckenfels ecki at zusammenkunft.net
Thu Oct 24 10:52:07 UTC 2019


Hello,

Coming back to the message of Tobias, it looks* like even in 14 the Brainpool curves have not landed for JSSE, are there any plans for adding this? can you maybe share your incomplete patch, Tobias?

* i don’t see them in ssl/NamesGroups: http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/classes/sun/security/ssl/NamedGroup.java
Gruss
Bernd


--
http://bernd.eckenfels.net

________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von Tobias Wagner <tobias.wagner at n-design.de>
Gesendet: Mittwoch, Juni 27, 2018 7:49 PM
An: security-dev at openjdk.java.net
Betreff: AW: RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)"

Hi Valerie and Bernd,
Valerie is right, I tested my JTREG Tests against SoftHSM2 in March:
http://mail.openjdk.java.net/pipermail/security-dev/2018-March/016863.html
I don't think there are more PKCS#11 related issues, as SunEC is not a PKCS#11 implementation. There are only shared tests.

The JTREG known answer tests use the X9.62 key format as they are used in certificates as well. I assume, brainpool public keys would work in certificates as well.

I actually implemented the support for brainpool curves in TLS as well, but I had no time to provide proper JTREG tests for that, and therefore no patch yet.

Regards, Tobias

--
phone: +49 221 222896 17
fax: +49 221 222896 11
keybase: https://keybase.io/toebix

n - d e s i g n G m b H
https://n-design.de
Alpenerstr. 16
50825 Köln
Deutschland / Germany

Amtsgericht Köln HRB 33766 B
Geschäftsführer Andy Kohl

> -----Ursprüngliche Nachricht-----
> Von: security-dev <security-dev-bounces at openjdk.java.net> Im Auftrag von
> Valerie Peng
> Gesendet: Donnerstag, 21. Juni 2018 01:07
> An: security-dev at openjdk.java.net
> Betreff: Re: RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)"
>
> Are you asking about CSR or existing bug for including Brainpool support
> in TLS?
>
> I saw some bugs which mentions errors/exceptions which brainpool is
> used, e.g. JSSE has https://bugs.openjdk.java.net/browse/JDK-7189107,
> key tool has https://bugs.openjdk.java.net/browse/JDK-8201290. After
> this brainpool support is integrated, it'll be easier to re-evaluate
> these.
>
>
> As for PKCS11, Tobias tested this against a 3rd party PKCS11 library and
> the result is positive if I recall correctly.
>
>
> Thanks,
> Valerie
>
>
> On 6/18/2018 1:26 PM, Bernd Eckenfels wrote:
>
>
> Hello,
>
>
>
> not a Reviewer, but some Questions on the CSR:
>
>
>
> * Are there other CSRs for including in TLS?
> * I also wonder if PKI (CA Signatures) will work out of the box
> then (OID aliases?)
> * Does PKCS11 require additional changes? (especially for the
> Government use mentioned in the justification HSMs are often mandatory)
>
>
>
> Gruss
>
> Bernd
>
> --
> http://bernd.eckenfels.net
>
>
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20191024/6857d405/attachment.html>


More information about the security-dev mailing list