RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)"

Tobias Wagner tobias.wagner at n-design.de
Mon Oct 28 11:09:21 UTC 2019 

Hi Bernd and all,

the mentioned patch was for jdk8, I think. I attached a new one. It
simply adds the brainpool curves to NamedGroup - twice.

1. According to RFC 7027 for TLS <= 1.2
2. According to
 * https://datatracker.ietf.org/doc/draft-bruckert-brainpool-for-tls13/ and
 *
https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8

This works for TLSv1.2 using https://testssl.sh - but I had no
opportunity to test this for TLSv1.3 and unfortunately little time to look in to it now.

Cheers,
Tobias

Am 24.10.19 um 12:52 schrieb Bernd Eckenfels:
> Hello,
> 
> Coming back to the message of Tobias, it looks* like even in 14 the
> Brainpool curves have not landed for JSSE, are there any plans for
> adding this? can you maybe share your incomplete patch, Tobias?
> 
> * i don’t see them in ssl/NamesGroups:
> http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/classes/sun/security/ssl/NamedGroup.java
> Gruss
> Bernd
> 
> 
> -- 
> http://bernd.eckenfels.net
>  
> ------------------------------------------------------------------------
> *Von:* security-dev <security-dev-bounces at openjdk.java.net> im Auftrag
> von Tobias Wagner <tobias.wagner at n-design.de>
> *Gesendet:* Mittwoch, Juni 27, 2018 7:49 PM
> *An:* security-dev at openjdk.java.net
> *Betreff:* AW: RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)"
>  
> Hi Valerie and Bernd,
> Valerie is right, I tested my JTREG Tests against SoftHSM2 in March:
> http://mail.openjdk.java.net/pipermail/security-dev/2018-March/016863.html
> I don't think there are more PKCS#11 related issues, as SunEC is not a
> PKCS#11 implementation. There are only shared tests.
> 
> The JTREG known answer tests use the X9.62 key format as they are used
> in certificates as well. I assume, brainpool public keys would work in
> certificates as well.
> 
> I actually implemented the support for brainpool curves in TLS as well,
> but I had no time to provide proper JTREG tests for that, and therefore
> no patch yet.
> 
> Regards, Tobias
> 
> -- 
> phone: +49 221 222896 17
> fax: +49 221 222896 11
> keybase: https://keybase.io/toebix
> 
> n - d e s i g n G m b H
> https://n-design.de
> Alpenerstr. 16
> 50825 Köln
> Deutschland / Germany
> 
> Amtsgericht Köln HRB 33766 B
> Geschäftsführer Andy Kohl
> 
>> -----Ursprüngliche Nachricht-----
>> Von: security-dev <security-dev-bounces at openjdk.java.net> Im Auftrag von
>> Valerie Peng
>> Gesendet: Donnerstag, 21. Juni 2018 01:07
>> An: security-dev at openjdk.java.net
>> Betreff: Re: RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)"
>>
>> Are you asking about CSR or existing bug for including Brainpool support
>> in TLS?
>>
>> I saw some bugs which mentions errors/exceptions which brainpool is
>> used, e.g. JSSE has https://bugs.openjdk.java.net/browse/JDK-7189107,
>> key tool has https://bugs.openjdk.java.net/browse/JDK-8201290. After
>> this brainpool support is integrated, it'll be easier to re-evaluate
>> these.
>>
>>
>> As for PKCS11, Tobias tested this against a 3rd party PKCS11 library and
>> the result is positive if I recall correctly.
>>
>>
>> Thanks,
>> Valerie
>>
>>
>> On 6/18/2018 1:26 PM, Bernd Eckenfels wrote:
>>
>>
>> Hello,
>>
>>
>>
>> not a Reviewer, but some Questions on the CSR:
>>
>>
>>
>> * Are there other CSRs for including in TLS?
>> * I also wonder if PKI (CA Signatures) will work out of the box
>> then (OID aliases?)
>> * Does PKCS11 require additional changes? (especially for the
>> Government use mentioned in the justification HSMs are often mandatory)
>>
>>
>>
>> Gruss
>>
>> Bernd
>>
>> --
>> http://bernd.eckenfels.net
>>
>>
>>
> 
> 

-- 
phone:   +49 221 222896 17
fax:     +49 221 222896 11
keybase: https://keybase.io/toebix

n - d e s i g n   G m b H
https://n-design.de
Alpenerstr. 16
50825 Köln
Deutschland / Germany

Amtsgericht Köln HRB 33766 B
Geschäftsführer: Andy Kohl, Dr. Tino Großmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_56744.diff
Type: text/x-patch
Size: 2374 bytes
Desc: patch_56744.diff
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20191028/c5d1f8a6/patch_56744.diff>

More information about the security-dev mailing list