Tomas Gustavsson wrote: > > Andrew John Hughes wrote: >> 2009/10/6 Tomas Gustavsson <to...@primekey.se>: >>> Hi Andrew, >>> >>> I guess no bug Id was created after all. >>> The issue is that the pkcs#11 library returns a tag-length-value >>> encoding for an EC public key, but the Sun provider expects something >>> else. So when trying to read the public key from pkcs#11 we get an >>> exception. >>> >>> The patch, which is very small and backwards compatible (if there are >>> pkcs#11's that does return the value originally expected), can be found >>> here: >>> http://bunny.primekey.se/~lars/sunP11Bug/patch.txt >>> >>> A simple test case: >>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java >>> >>> We've been in contact with an HSM vendor (Utimaco) and they claim that >>> the tag-length-value is the right way. Since we tested this with several >>> different HSMs it seems they are in agreement as well :-) >>> (I can forward their explanation as well if needed). >>> >>> Kind regards, >>> Tomas >>> >>> PS: Lars (who is my collegue) has completed the "Sun Contribution >>> Agreement". >>> >>> >>> Andrew John Hughes wrote: >>>> 2009/10/5 Tomas Gustavsson <to...@primekey.se>: >>>>> Hi Vincent and Brad, >>>>> >>>>> I'm not sure how things are at Sun currently. We work with Sun here in >>>>> Sweden so we've heard a bit about wait with the Oracle story. >>>>> >>>>> Anyhow I just want to let you know that if anyone is still working on >>>>> crypto that this bug is very annoying, and affect all existing HSMs as >>>>> far as I can see. ECC is rolling out pretty wide in europe now with new >>>>> electronic passports and other ecc cards. >>>>> So getting this fixed would be quite welcome, it's a small fix. I've >>>>> tested it on SafeNet HSMs myself right now. >>>>> >>>>> >>>>> Kind regards, >>>>> Tomas Gustavsson >>>>> PrimeKey Solutions AB >>>>> >>>>> >>>>> Lars Silvén wrote: >>>>>> -------- Forwarded Message -------- >>>>>> From: Brad Wetmore <bradford.wetm...@sun.com> >>>>>> To: Lars Silvén <l...@primekey.se> >>>>>> Cc: security-dev@openjdk.java.net, Vinnie Ryan <vincent.r...@sun.com> >>>>>> Subject: Re: [security-dev 00550]: Re: ECC pkcs#11 bug >>>>>> Date: Thu, 05 Feb 2009 11:34:49 -0800 >>>>>> >>>>>> Hi Lars, >>>>>> >>>>>> I was hoping that Vincent Ryan had already contacted you about this. >>>>>> >>>>>> I got redirected from ECC to work on the OpenJDK Bugzilla instance, >>>>>> which is rolling out very soon. Vincent took over the ECC work late >>>>>> last year along with your submission. The short answer is, between a >>>>>> lengthy customer escalation and bugzilla, I've been so heads down for >>>>>> the last 4 months, I'm not sure how far he's gotten. >>>>>> >>>>>> Vinnie, can you provide more info? >>>>>> >>>>>> Brad >>>>>> >>>>>> >>>>>> Lars Silvén wrote: >>>>>>> Brad, >>>>>>> >>>>>>> Any news about the p11 ECC bug. >>>>>>> >>>>>>> When will it be fixed? >>>>>>> >>>>>>> >>>>>>> Best Regards, >>>>>>> Lars >>>>>>> >>>>>>> >>>>>>> >>>>>>> Lars Silvén wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Thank you for taking care of this. >>>>>>>> We want this fix in both JDK 6 and 7. I like to know the release date >>>>>>>> for the >>>>>>>> fix in both versions if possible. >>>>>>>> >>>>>>>> Lars >>>>>>>> >>>>>>>> Brad Wetmore wrote: >>>>>>>>> Lars Silvén wrote: >>>>>>>>>> Hi Brad, >>>>>>>>>> >>>>>>>>>> Do you have everything you need to fix the bug. >>>>>>>>> I believe so. I haven't started looking at it closely yet, I'm still >>>>>>>>> mopping up several fires. Unfortunately, I'm the chef, busboy, and >>>>>>>>> bottle washer for several projects here. >>>>>>>>> >>>>>>>>>> Or is there anything more I could do to help. >>>>>>>>>> >>>>>>>>>> I have now also tested the nCipher HSM. To get their p11 working my >>>>>>>>>> patch had to be applied. >>>>>>>>>> >>>>>>>>>> Do you have any idea when we the fix could be released? >>>>>>>>> Are you looking for JDK7, or 6? >>>>>>>>> >>>>>>>>> Brad >>>>>>>>> >>>>>>>>>> Best Regards >>>>>>>>>> >>>>>>>>>> Brad Wetmore wrote: >>>>>>>>>>> Lars Silvén wrote: >>>>>>>>>>>> Hi Brad, >>>>>>>>>>>> >>>>>>>>>>>> I have written a simple application that illustrates the problem: >>>>>>>>>>>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java >>>>>>>>>>>> >>>>>>>>>>>> But you need a p11 module with ECC capability to run it. Do you >>>>>>>>>>>> have >>>>>>>>>>>> one? >>>>>>>>>>> Yes. >>>>>>>>>>> >>>>>>>>>>>> If not I could investigate if one of our HSM vendors could send you >>>>>>>>>>>> one. >>>>>>>>>>>> Also to verify that the public key actually is usable a JCA >>>>>>>>>>>> provider >>>>>>>>>>>> with ECC is needed. >>>>>>>>>>> I'm going to be working on adding ECC to the JCE provider for JDK 7. >>>>>>>>>>> >>>>>>>>>>> Thanks for the case. >>>>>>>>>>> >>>>>>>>>>> Brad >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> But for that you could use BouncyCastle. >>>>>>>>>>>> Start running the application without parameters and then you get a >>>>>>>>>>>> description of needed parameters. >>>>>>>>>>>> >>>>>>>>>>>> Lars >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Brad Wetmore wrote: >>>>>>>>>>>>> Great, thanks for doing so. >>>>>>>>>>>>> >>>>>>>>>>>>> I'll be working on this fairly soon, so I'll get a bug filed. Do >>>>>>>>>>>>> you >>>>>>>>>>>>> have a standalone test case for this already? See step 3 of the >>>>>>>>>>>>> contribute page. If you do but you don't have it in jtreg format, >>>>>>>>>>>>> I can >>>>>>>>>>>>> get it into the jtreg format. >>>>>>>>>>>>> >>>>>>>>>>>>> Brad >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Lars Silvén wrote: >>>>>>>>>>>>>> Here is my SCA! >>>>>>>>>>>>>> >>>>>>>>>>>>>> //Lars >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Brad Wetmore wrote: >>>>>>>>>>>>>>> Hi Lars, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have created a patch that is fixing the problem: >>>>>>>>>>>>>>> This is Brad Wetmore, I am the Security group Moderator, and >>>>>>>>>>>>>>> also >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> person who will be handling this when I get back to working on >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> Java >>>>>>>>>>>>>>> ECC implementation. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Unfortunately, I can't take your source contribution yet >>>>>>>>>>>>>>> without a >>>>>>>>>>>>>>> signed copy of the Sun Contribution Agreement in place. This is >>>>>>>>>>>>>>> done >>>>>>>>>>>>>>> for your protection as well as the Sun's and the OpenJDK >>>>>>>>>>>>>>> community's. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please see the following link for more information: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://openjdk.java.net/contribute/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The Signatories of the SCA are eligible to donate code to all >>>>>>>>>>>>>>> products >>>>>>>>>>>>>>> and projects owned or managed by Sun: signing it once means >>>>>>>>>>>>>>> you can >>>>>>>>>>>>>>> contribute code to any Sun-sponsored open source project. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If you have recently signed it and it hasn't yet appeared in our >>>>>>>>>>>>>>> database yet, just let me know. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Discussions of the problem is fine, it's just the source that we >>>>>>>>>>>>>>> can't >>>>>>>>>>>>>>> take at this point. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Brad >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>> What bug are we discussing here? I don't see any patch or bug ID. >> Ah, this sounds like a similar, if not the same bug as 6763530 which >> we discussed here: >> >> http://mail.openjdk.java.net/pipermail/security-dev/2009-September/001252.html >> >> I posted a patch for this some time ago, as you can see from the >> discussion, and then a revised version based on Michael StJohn's patch >> >> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >> >> but it has not yet been accepted into OpenJDK. The bug is due to the >> data being DER encoded. DER octet streams also start with a 4 but the >> length is different from that expected by the current code. The bug >> is triggered when newer versions of the NSS library are used for ECC >> support. > > Excellent. Plenty of people are tripping in to this bug. I hope some > version of patches gets accepted soon! > > What's keeping the patch from getting accepted?
Me, unfortunately. I'll try to get to this in the next few days. > > Regards, > Tomas >