Understanding elliptic curve spec limitations
Anthony Scarpino
anthony.scarpino at oracle.com
Mon Sep 27 22:32:49 UTC 2021
On 9/27/21 2:22 PM, David Blevins wrote:
> I've been putting a significant amount of work into compiling a large set of elliptic curve parameters/names/oids for an open source library and a related closed source security product we have. We need to be able to support any of the curves that OpenSSL/LibreSSL support.
>
> The trick is this is currently impossible due to hardcoding in OpenJDK 16. Though you supply valid parameters via ECParameterSpec, when you attempt to construct an instance of ECPrivateKey or ECPublicKey you hit code in sun.security.util.CurveDB that does a "reverse lookup" of sorts to find the curve name. If it's not a curve CurveDB knows about, you can't use it.
>
> Is there willingness to accept contributions that would remove this limitation?
We haven't heard such issues since native obsolete curves were removed
from 16. We are will to take contributions upon review. If you're
going to formally contribute the code, you should check out
https://openjdk.java.net/contribute/
TOny
More information about the security-dev
mailing list