Sweet! Let me know if you need any help testing. I'm mainly running on Ubuntu 64bit, but have access to others as well.
Regards, Tomas Vincent Ryan wrote: > > Tomas Gustavsson wrote: >> Andrew John Hughes wrote: >>> 2009/10/6 Tomas Gustavsson <to...@primekey.se>: >>>> Hi Andrew, >>>> >>>> I guess no bug Id was created after all. >>>> The issue is that the pkcs#11 library returns a tag-length-value >>>> encoding for an EC public key, but the Sun provider expects something >>>> else. So when trying to read the public key from pkcs#11 we get an >>>> exception. >>>> >>>> The patch, which is very small and backwards compatible (if there are >>>> pkcs#11's that does return the value originally expected), can be found >>>> here: >>>> http://bunny.primekey.se/~lars/sunP11Bug/patch.txt >>>> >>>> A simple test case: >>>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java >>>> >>>> We've been in contact with an HSM vendor (Utimaco) and they claim that >>>> the tag-length-value is the right way. Since we tested this with several >>>> different HSMs it seems they are in agreement as well :-) >>>> (I can forward their explanation as well if needed). >>>> >>>> Kind regards, >>>> Tomas >>>> >>>> PS: Lars (who is my collegue) has completed the "Sun Contribution >>>> Agreement". >>>> >>>> >>>> Andrew John Hughes wrote: >>>>> 2009/10/5 Tomas Gustavsson <to...@primekey.se>: >>>>>> Hi Vincent and Brad, >>>>>> >>>>>> I'm not sure how things are at Sun currently. We work with Sun here in >>>>>> Sweden so we've heard a bit about wait with the Oracle story. >>>>>> >>>>>> Anyhow I just want to let you know that if anyone is still working on >>>>>> crypto that this bug is very annoying, and affect all existing HSMs as >>>>>> far as I can see. ECC is rolling out pretty wide in europe now with new >>>>>> electronic passports and other ecc cards. >>>>>> So getting this fixed would be quite welcome, it's a small fix. I've >>>>>> tested it on SafeNet HSMs myself right now. >>>>>> >>>>>> >>>>>> Kind regards, >>>>>> Tomas Gustavsson >>>>>> PrimeKey Solutions AB >>>>>> >>>>>> >>>>>> Lars Silvén wrote: >>>>>>> -------- Forwarded Message -------- >>>>>>> From: Brad Wetmore <bradford.wetm...@sun.com> >>>>>>> To: Lars Silvén <l...@primekey.se> >>>>>>> Cc: security-dev@openjdk.java.net, Vinnie Ryan <vincent.r...@sun.com> >>>>>>> Subject: Re: [security-dev 00550]: Re: ECC pkcs#11 bug >>>>>>> Date: Thu, 05 Feb 2009 11:34:49 -0800 >>>>>>> >>>>>>> Hi Lars, >>>>>>> >>>>>>> I was hoping that Vincent Ryan had already contacted you about this. >>>>>>> >>>>>>> I got redirected from ECC to work on the OpenJDK Bugzilla instance, >>>>>>> which is rolling out very soon. Vincent took over the ECC work late >>>>>>> last year along with your submission. The short answer is, between a >>>>>>> lengthy customer escalation and bugzilla, I've been so heads down for >>>>>>> the last 4 months, I'm not sure how far he's gotten. >>>>>>> >>>>>>> Vinnie, can you provide more info? >>>>>>> >>>>>>> Brad >>>>>>> >>>>>>> >>>>>>> Lars Silvén wrote: >>>>>>>> Brad, >>>>>>>> >>>>>>>> Any news about the p11 ECC bug. >>>>>>>> >>>>>>>> When will it be fixed? >>>>>>>> >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Lars >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Lars Silvén wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Thank you for taking care of this. >>>>>>>>> We want this fix in both JDK 6 and 7. I like to know the release date >>>>>>>>> for the >>>>>>>>> fix in both versions if possible. >>>>>>>>> >>>>>>>>> Lars >>>>>>>>> >>>>>>>>> Brad Wetmore wrote: >>>>>>>>>> Lars Silvén wrote: >>>>>>>>>>> Hi Brad, >>>>>>>>>>> >>>>>>>>>>> Do you have everything you need to fix the bug. >>>>>>>>>> I believe so. I haven't started looking at it closely yet, I'm still >>>>>>>>>> mopping up several fires. Unfortunately, I'm the chef, busboy, and >>>>>>>>>> bottle washer for several projects here. >>>>>>>>>> >>>>>>>>>>> Or is there anything more I could do to help. >>>>>>>>>>> >>>>>>>>>>> I have now also tested the nCipher HSM. To get their p11 working my >>>>>>>>>>> patch had to be applied. >>>>>>>>>>> >>>>>>>>>>> Do you have any idea when we the fix could be released? >>>>>>>>>> Are you looking for JDK7, or 6? >>>>>>>>>> >>>>>>>>>> Brad >>>>>>>>>> >>>>>>>>>>> Best Regards >>>>>>>>>>> >>>>>>>>>>> Brad Wetmore wrote: >>>>>>>>>>>> Lars Silvén wrote: >>>>>>>>>>>>> Hi Brad, >>>>>>>>>>>>> >>>>>>>>>>>>> I have written a simple application that illustrates the problem: >>>>>>>>>>>>> http://bunny.primekey.se/~lars/sunP11Bug/src/test/Main.java >>>>>>>>>>>>> >>>>>>>>>>>>> But you need a p11 module with ECC capability to run it. Do you >>>>>>>>>>>>> have >>>>>>>>>>>>> one? >>>>>>>>>>>> Yes. >>>>>>>>>>>> >>>>>>>>>>>>> If not I could investigate if one of our HSM vendors could send >>>>>>>>>>>>> you >>>>>>>>>>>>> one. >>>>>>>>>>>>> Also to verify that the public key actually is usable a JCA >>>>>>>>>>>>> provider >>>>>>>>>>>>> with ECC is needed. >>>>>>>>>>>> I'm going to be working on adding ECC to the JCE provider for JDK >>>>>>>>>>>> 7. >>>>>>>>>>>> >>>>>>>>>>>> Thanks for the case. >>>>>>>>>>>> >>>>>>>>>>>> Brad >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> But for that you could use BouncyCastle. >>>>>>>>>>>>> Start running the application without parameters and then you get >>>>>>>>>>>>> a >>>>>>>>>>>>> description of needed parameters. >>>>>>>>>>>>> >>>>>>>>>>>>> Lars >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Brad Wetmore wrote: >>>>>>>>>>>>>> Great, thanks for doing so. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'll be working on this fairly soon, so I'll get a bug filed. >>>>>>>>>>>>>> Do you >>>>>>>>>>>>>> have a standalone test case for this already? See step 3 of the >>>>>>>>>>>>>> contribute page. If you do but you don't have it in jtreg >>>>>>>>>>>>>> format, >>>>>>>>>>>>>> I can >>>>>>>>>>>>>> get it into the jtreg format. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Brad >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Lars Silvén wrote: >>>>>>>>>>>>>>> Here is my SCA! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> //Lars >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Brad Wetmore wrote: >>>>>>>>>>>>>>>> Hi Lars, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have created a patch that is fixing the problem: >>>>>>>>>>>>>>>> This is Brad Wetmore, I am the Security group Moderator, and >>>>>>>>>>>>>>>> also >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> person who will be handling this when I get back to working on >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> Java >>>>>>>>>>>>>>>> ECC implementation. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Unfortunately, I can't take your source contribution yet >>>>>>>>>>>>>>>> without a >>>>>>>>>>>>>>>> signed copy of the Sun Contribution Agreement in place. This >>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>> done >>>>>>>>>>>>>>>> for your protection as well as the Sun's and the OpenJDK >>>>>>>>>>>>>>>> community's. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Please see the following link for more information: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://openjdk.java.net/contribute/ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The Signatories of the SCA are eligible to donate code to all >>>>>>>>>>>>>>>> products >>>>>>>>>>>>>>>> and projects owned or managed by Sun: signing it once means >>>>>>>>>>>>>>>> you can >>>>>>>>>>>>>>>> contribute code to any Sun-sponsored open source project. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If you have recently signed it and it hasn't yet appeared in >>>>>>>>>>>>>>>> our >>>>>>>>>>>>>>>> database yet, just let me know. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Discussions of the problem is fine, it's just the source that >>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>> can't >>>>>>>>>>>>>>>> take at this point. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Brad >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>> What bug are we discussing here? I don't see any patch or bug ID. >>> Ah, this sounds like a similar, if not the same bug as 6763530 which >>> we discussed here: >>> >>> http://mail.openjdk.java.net/pipermail/security-dev/2009-September/001252.html >>> >>> I posted a patch for this some time ago, as you can see from the >>> discussion, and then a revised version based on Michael StJohn's patch >>> >>> http://cr.openjdk.java.net/~andrew/6763530/webrev.02/ >>> >>> but it has not yet been accepted into OpenJDK. The bug is due to the >>> data being DER encoded. DER octet streams also start with a 4 but the >>> length is different from that expected by the current code. The bug >>> is triggered when newer versions of the NSS library are used for ECC >>> support. >> Excellent. Plenty of people are tripping in to this bug. I hope some >> version of patches gets accepted soon! >> >> What's keeping the patch from getting accepted? > > Me, unfortunately. I'll try to get to this in the next few days. > > >> Regards, >> Tomas >>
