8237219: Disabling the native SunEC implementation

Weijun Wang weijun.wang at oracle.com
Thu Mar 19 04:51:38 UTC 2020



> On Mar 19, 2020, at 11:09 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
> 
> On 3/18/20 7:32 PM, Weijun Wang wrote:
>> ECKeyPairGenerator.java:
>> You can move the following lines to the beginning of the method:
>>  132         // Check if the java implementation supports this curve
>>  133         if (ECOperations.forParameters(ecSpec).isPresent()) {
>>  134             return;
>>  135         }
> 
> I left it after the eparams.init() as this checks CurveDB.lookup, if the curve not found it returns an InvalidParameterSpecException which is wrapped into a InvalidAlgorithmParameterSpec.  If I move the above check, now it only returns an InvalidAlgorithmParameterSpec.
> 
> Going forward when this native library is removed, I think changing the exception wrapping is less of a concern, but since the purpose of this change is more for older releases, I thought keeping this consistent was more important, does that make sense and do you agree?

Sounds reasonable.

Thanks,
Max

> 
>> Everything else looks fine.
>> In the CSR, how about explicitly spell out the curve names we support in Java?
> 
> ok
> 
>> You also need a release note: Talk about the system property, when it should be enabled, and why enabling it is probably not a good idea.
> 
> Yes, when the CSR is reviewed I'll have a basis to write the Release Note from.
> 
>> Thanks,
>> Max
>>> On Mar 18, 2020, at 11:52 PM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>>> 
>>> Max,
>>> 
>>> Are you satisfied with this last update?
>>> 
>>> Thanks
>>> 
>>> Tony
>>> 
>>>> On Mar 11, 2020, at 11:23 PM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>>>> 
>>>> Another webrev update with Max's recent comments.
>>>> https://cr.openjdk.java.net/~ascarpino/8237219/webrev.03
>>>> 
>>>> Also I still need a reviewer for the CSR.
>>>> 
>>>> thanks
>>>> 
>>>> Tony
>>>> 
>>>>> On 3/2/20 4:40 PM, Anthony Scarpino wrote:
>>>>> Hi
>>>>> I need a review of the CSR and webrev for disabling by default the native SunEC curves from the API.  With the recent verification changes in JDK-8237218, SunJCE is long dependent on the native code for verifying the constant-time curves.  This disabling can be undone with setting a  system property, jdk.sunec.disableNative.  I'm doing a simultaneous review as changes for one  will likely affect the other.
>>>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8238911
>>>>> webrev: https://cr.openjdk.java.net/~ascarpino/8237219/
>>>>> The curves affected are:
>>>>> secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1 brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
>>>>> Tony
>>>> 
>>> 
> 




More information about the security-dev mailing list