Red Hat OpenJDK packages can throw due to not recognising some elliptic curves

[mikehearn]

Red Hat and elliptic curve crypto have a troubled history. They have often silently removed support from software as they have packaged it.

https://discourse.corda.net/t/unknown-named-curve/1122

We should catch the exception named in that forum post and print out an error explaining the problem and the fix.

[phax]

Same problem (unrelated to this project) with CentOS Linux release 7.3.1611 (Core) using

# /usr/bin/java -version
openjdk version "1.8.0_141"
OpenJDK Runtime Environment (build 1.8.0_141-b16)
OpenJDK 64-Bit Server VM (build 25.141-b16, mixed mode)

I'm missing a slightly different curve:

Caused by: java.io.IOException: Unknown named curve: 1.3.132.0.38
        at sun.security.ec.ECParameters.engineInit(ECParameters.java:143) ~[sunec.jar:1.8.0_141]
        at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_141]
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_141]
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[?:1.8.0_141]
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_141]
        at sun.security.x509.X509Key.parse(X509Key.java:168) ~[?:1.8.0_141]

So I assume OpenJDK does not have the license (or so) to include this in their package.

The property from the SunEC provider is:

AlgorithmParameters.EC SupportedCurves =
[secp256r1,NIST P-256,X9.62 prime256v1,1.2.840.10045.3.1.7]
[secp384r1,NIST P-384,1.3.132.0.34]
[secp521r1,NIST P-521,1.3.132.0.35]

--> so looks like only these 3 curves are supported by default....
But I must admit I didn't install the extended Java Security policy...

Edit: JCE policy update (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) didn't change a thing

Edit 2: adding BouncyCastle 1.57 helped, but the underlying API I was using (jjwt 0.7.0) did no support for custom security providers, so I changed to an RSA certificate :(

[mikehearn]

Hm, Kostas' fix should have caused a more useful error to be printed.

Can you show us the full stack trace?

[kchalkias]

I think phax is referring to another project (not Corda), but in which he experienced the same issue with us. Our current error message in NodeStartup.kt is
"Exception during node startup - Unknown named curve: OID. This is a known OpenJDK issue on some Linux distributions, please use OpenJDK from zulu.org or Oracle JDK".

[mikehearn]

I think this issue was "fixed" as best we can (better warning) some time ago. Over time Oracle JDK and OpenJDK will converge due to a new policy of open sourcing more stuff at Oracle. So I'll close this. it should fix itself naturally unless Red Hat keep removing stuff from OpenJDK.

[AlinGabriel]

Hi. this problem is still not solved in openJdK 11. I tried adding BouncyCastle , but did not helped. Does anyone have any other idea ?
I am missing the exact same curve:

java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.3.132.0.38