8235710: Remove the legacy elliptic curves

Reviewed-by: xuelei, erikj
openjdk · Sep 25, 2020 · 0b83fc0150108c7250da3e80ec8f02deb3b5861c · 0b83fc0 · bridgekeeper · Sep 25, 2020
1 parent 8239b67
commit 0b83fc0150108c7250da3e80ec8f02deb3b5861c
diff --git a/make/autoconf/configure.ac b/make/autoconf/configure.ac
@@ -242,7 +242,6 @@ HOTSPOT_SETUP_MISC
 #
 ###############################################################################
 
-JDKOPT_DETECT_INTREE_EC
 JDKOPT_ENABLE_DISABLE_FAILURE_HANDLER
 JDKOPT_ENABLE_DISABLE_GENERATE_CLASSLIST
 JDKOPT_EXCLUDE_TRANSLATIONS

diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
@@ -228,23 +228,6 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_JDK_OPTIONS],
 ])
 
 ###############################################################################
-#
-# Enable or disable the elliptic curve crypto implementation
-#
-AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
-[
-  AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
-
-  if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
-    ENABLE_INTREE_EC=true
-    AC_MSG_RESULT([yes])
-  else
-    ENABLE_INTREE_EC=false
-    AC_MSG_RESULT([no])
-  fi
-
-  AC_SUBST(ENABLE_INTREE_EC)
-])
 
 AC_DEFUN_ONCE([JDKOPT_SETUP_DEBUG_SYMBOLS],
 [

diff --git a/src/java.base/share/classes/sun/security/util/CurveDB.java b/src/java.base/share/classes/sun/security/util/CurveDB.java
@@ -53,11 +53,6 @@
 
     private static Collection<? extends NamedCurve> specCollection;
 
-    // Used by SunECEntries
-    public static Collection<? extends NamedCurve>getSupportedCurves() {
-        return specCollection;
-    }
-
     // Return a NamedCurve for the specified OID/name or null if unknown.
     public static NamedCurve lookup(String name) {
         NamedCurve spec = oidMap.get(name);

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -495,16 +495,7 @@ sun.security.krb5.maxReferrals=5
 # in the jdk.[tls|certpath|jar].disabledAlgorithms properties.  To include this
 # list in any of the disabledAlgorithms properties, add the property name as
 # an entry.
-jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
-    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
-    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
-    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
-    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
-    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
-    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
-    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
-    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
-    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+#jdk.disabled.namedCurves=
 
 #
 # Algorithm restrictions for certification path (CertPath) processing
@@ -642,8 +633,7 @@ jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
 #
 #
 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
-    include jdk.disabled.namedCurves
+    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
 
 #
 # Legacy algorithms for certification path (CertPath) processing and
@@ -707,7 +697,7 @@ jdk.security.legacyAlgorithms=SHA1, \
 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
 #
 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
-      DSA keySize < 1024, include jdk.disabled.namedCurves
+      DSA keySize < 1024
 
 #
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
@@ -742,8 +732,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
 #       rsa_pkcs1_sha1, secp224r1
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
-    include jdk.disabled.namedCurves
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java
@@ -169,22 +169,12 @@ private static void validate(ECOperations ops, ECPublicKey key) {
         }
         byte[] result;
         Optional<byte[]> resultOpt = deriveKeyImpl(privateKey, publicKey);
-        if (resultOpt.isPresent()) {
-            result = resultOpt.get();
-        } else {
-            if (SunEC.isNativeDisabled()) {
-                NamedCurve privNC = CurveDB.lookup(privateKey.getParams());
-                NamedCurve pubNC = CurveDB.lookup(publicKey.getParams());
-                throw new IllegalStateException(
-                        new InvalidAlgorithmParameterException("Legacy SunEC " +
-                                "curve disabled, one or both keys:  " +
-                                "Private: " + ((privNC != null) ?
-                                privNC.toString() : " unknown") +
-                                ", PublicKey:" + ((pubNC != null) ?
-                                pubNC.toString() : " unknown")));
-            }
-            result = deriveKeyNative(privateKey, publicKey);
+        if (resultOpt.isEmpty()) {
+            throw new IllegalStateException(
+                new InvalidAlgorithmParameterException("Curve not supported: " +
+                    publicKey.getParams().toString()));
         }
+        result = resultOpt.get();
         publicKey = null;
         return result;
     }
@@ -263,42 +253,4 @@ protected SecretKey engineGenerateSecret(String algorithm)
 
         return Optional.of(result);
     }
-
-    private static
-    byte[] deriveKeyNative(ECPrivateKey privateKey, ECPublicKey publicKey) {
-
-        ECParameterSpec params = privateKey.getParams();
-        byte[] s = privateKey.getS().toByteArray();
-        byte[] encodedParams =                   // DER OID
-            ECUtil.encodeECParameterSpec(null, params);
-
-        byte[] publicValue;
-        if (publicKey instanceof ECPublicKeyImpl) {
-            ECPublicKeyImpl ecPub = (ECPublicKeyImpl) publicKey;
-            publicValue = ecPub.getEncodedPublicValue();
-        } else { // instanceof ECPublicKey
-            publicValue =
-                ECUtil.encodePoint(publicKey.getW(), params.getCurve());
-        }
-
-        try {
-            return deriveKey(s, publicValue, encodedParams);
-
-        } catch (GeneralSecurityException e) {
-            throw new ProviderException("Could not derive key", e);
-        }
-    }
-
-
-    /**
-     * Generates a secret key using the public and private keys.
-     *
-     * @param s the private key's S value.
-     * @param w the public key's W point (in uncompressed form).
-     * @param encodedParams the curve's DER encoded object identifier.
-     *
-     * @return byte[] the secret key.
-     */
-    private static native byte[] deriveKey(byte[] s, byte[] w,
-        byte[] encodedParams) throws GeneralSecurityException;
 }
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java
@@ -466,53 +466,6 @@ private static boolean isCompatible(ECParameterSpec sigParams,
     }
 
 
-    private Optional<byte[]> signDigestAvailable(ECPrivateKey privateKey,
-        byte[] digest, SecureRandom random) throws SignatureException {
-
-        ECParameterSpec params = privateKey.getParams();
-
-        // seed is the key size + 64 bits
-        int seedBits = params.getOrder().bitLength() + 64;
-        Optional<ECDSAOperations> opsOpt =
-            ECDSAOperations.forParameters(params);
-        if (opsOpt.isEmpty()) {
-            return Optional.empty();
-        } else {
-            byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest,
-                privateKey, random);
-            return Optional.of(sig);
-        }
-    }
-
-    private byte[] signDigestNative(ECPrivateKey privateKey, byte[] digest,
-        SecureRandom random) throws SignatureException {
-
-        byte[] s = privateKey.getS().toByteArray();
-        ECParameterSpec params = privateKey.getParams();
-
-        // DER OID
-        byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
-        int orderLength = params.getOrder().bitLength();
-
-        // seed is twice the order length (in bytes) plus 1
-        byte[] seed = new byte[(((orderLength + 7) >> 3) + 1) * 2];
-
-        random.nextBytes(seed);
-
-        // random bits needed for timing countermeasures
-        int timingArgument = random.nextInt();
-        // values must be non-zero to enable countermeasures
-        timingArgument |= 1;
-
-        try {
-            return signDigest(digest, s, encodedParams, seed,
-                timingArgument);
-        } catch (GeneralSecurityException e) {
-            throw new SignatureException("Could not sign data", e);
-        }
-
-    }
-
     // sign the data and return the signature. See JCA doc
     @Override
     protected byte[] engineSign() throws SignatureException {
@@ -522,21 +475,18 @@ private static boolean isCompatible(ECParameterSpec sigParams,
         }
 
         byte[] digest = getDigestValue();
-        Optional<byte[]> sigOpt = signDigestAvailable(privateKey, digest, random);
-        byte[] sig;
-        if (sigOpt.isPresent()) {
-            sig = sigOpt.get();
-        } else {
-            if (SunEC.isNativeDisabled()) {
-                NamedCurve nc = CurveDB.lookup(privateKey.getParams());
-                throw new SignatureException(
-                        new InvalidAlgorithmParameterException(
-                                "Legacy SunEC curve disabled:  " +
-                                        (nc != null ? nc.toString()
-                                                : "unknown")));
-            }
-            sig = signDigestNative(privateKey, digest, random);
+        ECParameterSpec params = privateKey.getParams();
+
+        // seed is the key size + 64 bits
+        int seedBits = params.getOrder().bitLength() + 64;
+        Optional<ECDSAOperations> opsOpt =
+            ECDSAOperations.forParameters(params);
+        if (opsOpt.isEmpty()) {
+            throw new SignatureException("Curve not supported: " +
+                params.toString());
         }
+        byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest, privateKey,
+            random);
 
         if (p1363Format) {
             return sig;
@@ -557,59 +507,14 @@ protected boolean engineVerify(byte[] signature) throws SignatureException {
         }
 
         byte[] digest = getDigestValue();
-        Optional<Boolean> verifyOpt
-                = verifySignedDigestAvailable(publicKey, sig, digest);
-
-        if (verifyOpt.isPresent()) {
-            return verifyOpt.get();
-        } else {
-            if (SunEC.isNativeDisabled()) {
-                NamedCurve nc = CurveDB.lookup(publicKey.getParams());
-                throw new SignatureException(
-                        new InvalidAlgorithmParameterException(
-                                "Legacy SunEC curve disabled:  " +
-                                        (nc != null ? nc.toString()
-                                                : "unknown")));
-            }
-
-            byte[] w;
-            ECParameterSpec params = publicKey.getParams();
-            // DER OID
-            byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
-
-            if (publicKey instanceof ECPublicKeyImpl) {
-                w = ((ECPublicKeyImpl) publicKey).getEncodedPublicValue();
-            } else { // instanceof ECPublicKey
-                w = ECUtil.encodePoint(publicKey.getW(), params.getCurve());
-            }
-
-            try {
-                return verifySignedDigest(sig, digest, w, encodedParams);
-            } catch (GeneralSecurityException e) {
-                throw new SignatureException("Could not verify signature", e);
-            }
-        }
-    }
-
-    private Optional<Boolean> verifySignedDigestAvailable(
-            ECPublicKey publicKey, byte[] sig, byte[] digestValue) {
-
-        ECParameterSpec params = publicKey.getParams();
 
         Optional<ECDSAOperations> opsOpt =
-                ECDSAOperations.forParameters(params);
+            ECDSAOperations.forParameters(publicKey.getParams());
         if (opsOpt.isEmpty()) {
-            return Optional.empty();
-        } else {
-            boolean result = verifySignedDigestImpl(opsOpt.get(), digestValue,
-                    publicKey, sig);
-            return Optional.of(result);
+            throw new SignatureException("Curve not supported: " +
+                publicKey.getParams().toString());
         }
-    }
-
-    private boolean verifySignedDigestImpl(ECDSAOperations ops,
-            byte[] digest, ECPublicKey pub, byte[] sig) {
-        return ops.verifySignedDigest(digest, sig, pub.getW());
+        return opsOpt.get().verifySignedDigest(digest, sig, publicKey.getW());
     }
 
     // set parameter, not supported. See JCA doc
@@ -657,40 +562,4 @@ protected AlgorithmParameters engineGetParameters() {
             throw new ProviderException("Error retrieving EC parameters", e);
         }
     }
-
-    /**
-     * Signs the digest using the private key.
-     *
-     * @param digest the digest to be signed.
-     * @param s the private key's S value.
-     * @param encodedParams the curve's DER encoded object identifier.
-     * @param seed the random seed.
-     * @param timing When non-zero, the implmentation will use timing
-     *     countermeasures to hide secrets from timing channels. The EC
-     *     implementation will disable the countermeasures when this value is
-     *     zero, because the underlying EC functions are shared by several
-     *     crypto operations, some of which do not use the countermeasures.
-     *     The high-order 31 bits must be uniformly random. The entropy from
-     *     these bits is used by the countermeasures.
-     *
-     * @return byte[] the signature.
-     */
-    private static native byte[] signDigest(byte[] digest, byte[] s,
-                                            byte[] encodedParams, byte[] seed, int timing)
-        throws GeneralSecurityException;
-
-    /**
-     * Verifies the signed digest using the public key.
-     *
-     * @param signature the signature to be verified. It is encoded
-     *        as a concatenation of the key's R and S values.
-     * @param digest the digest to be used.
-     * @param w the public key's W point (in uncompressed form).
-     * @param encodedParams the curve's DER encoded object identifier.
-     *
-     * @return boolean true if the signature is successfully verified.
-     */
-    private static native boolean verifySignedDigest(byte[] signature,
-                                                     byte[] digest, byte[] w, byte[] encodedParams)
-        throws GeneralSecurityException;
 }