Understanding elliptic curve spec limitations

David Blevins dblevins at tomitribe.com
Tue Sep 28 15:32:36 UTC 2021

> On Sep 28, 2021, at 12:49 AM, David Blevins <dblevins at tomitribe.com> wrote:
>> On Sep 27, 2021, at 3:32 PM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>> On 9/27/21 2:22 PM, David Blevins wrote:
>>> I've been putting a significant amount of work into compiling a large set of elliptic curve parameters/names/oids for an open source library and a related closed source security product we have.  We need to be able to support any of the curves that OpenSSL/LibreSSL support.
>>> The trick is this is currently impossible due to hardcoding in OpenJDK 16.  Though you supply valid parameters via ECParameterSpec, when you attempt to construct an instance of ECPrivateKey or ECPublicKey you hit code in sun.security.util.CurveDB that does a "reverse lookup" of sorts to find the curve name.  If it's not a curve CurveDB knows about, you can't use it.
>>> Is there willingness to accept contributions that would remove this limitation?
>> We haven't heard such issues since native obsolete curves were removed from 16.  We are will to take contributions upon review.  If you're going to formally contribute the code, you should check out https://openjdk.java.net/contribute/
> Thanks, Tony.
> It also appears that of the 60 curves supported only 3 of them can be used to sign/verify.  Any insight as to why?

Found my own answer on this second question.

 - https://bugs.openjdk.java.net/browse/JDK-8251547


More information about the security-dev mailing list