<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>On 12/6/2017 11:39 AM, Max Fichtelmann wrote:<br>
</p>
<blockquote type="cite"
cite="mid:OF4ECB5E21.0601B805-ONC12581EE.005A637F-C12581EE.005B852E@LocalDomain"><font
size="2" face="sans-serif">We use a HSM to generate ECDSA Keys
and
are required to use the curve brainpoolP256r1.</font><br>
<br>
<font size="2" face="sans-serif">Although the HSM does not
specifically
support brainpool, it is possible to generate these keys by
providing the
specific Curve Parameters. These curve parameters are then saved
in CKA_EC_PARAMS...
</font></blockquote>
<snip><br>
<blockquote type="cite"
cite="mid:OF4ECB5E21.0601B805-ONC12581EE.005A637F-C12581EE.005B852E@LocalDomain"><font
size="2" face="sans-serif">When using SunPKCS11 to load the
KeyPair,
ECParams is used with the value of CKA_EC_PARAMS which then
fails.</font><br>
<br>
<font size="2" face="sans-serif">So there are not many options I
see
- either patching JDK or getting the HSM-Vendor to add support
for brainpool...</font><br>
</blockquote>
<br>
<font size="2">I think this problem is pretty good motivation for
enhancing this code to support specified domain parameters. So if
you are going to write code to fix this, please consider
submitting a patch. <br>
<br>
There may be another way to fix this problem without patching the
JDK. You could develop (or locate) a JCA provider including an
AlgorithmParameters service for "EC" that has this desired
functionality. Install[1] this provider with a preference higher
than SunEC, and it will be used to decode the CKA_EC_PARAMS. But
note that this may also change other (unrelated) crypto behavior
in your application. <br>
<br>
[1]
<a class="moz-txt-link-freetext" href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling">https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling</a><br>
</font>
</body>
</html>