Skip to content
Permalink
Browse files
8235710: Remove the legacy elliptic curves
Reviewed-by: xuelei, erikj
  • Loading branch information
Anthony Scarpino committed Sep 25, 2020
1 parent 8239b67 commit 0b83fc0150108c7250da3e80ec8f02deb3b5861c
Showing with 107 additions and 20,127 deletions.
  1. +0 −1 make/autoconf/configure.ac
  2. +0 −17 make/autoconf/jdk-options.m4
  3. +0 −5 src/java.base/share/classes/sun/security/util/CurveDB.java
  4. +4 −15 src/java.base/share/conf/security/java.security
  5. +5 −53 src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java
  6. +15 −146 src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java
  7. +6 −75 src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java
  8. +8 −56 src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
  9. +0 −599 src/jdk.crypto.ec/share/legal/ecc.md
  10. +0 −527 src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
  11. +0 −1,091 src/jdk.crypto.ec/share/native/libsunec/impl/ec.c
  12. +0 −52 src/jdk.crypto.ec/share/native/libsunec/impl/ec.h
  13. +0 −126 src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h
  14. +0 −260 src/jdk.crypto.ec/share/native/libsunec/impl/ec2_163.c
  15. +0 −277 src/jdk.crypto.ec/share/native/libsunec/impl/ec2_193.c
  16. +0 −300 src/jdk.crypto.ec/share/native/libsunec/impl/ec2_233.c
  17. +0 −349 src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c
  18. +0 −278 src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c
  19. +0 −102 src/jdk.crypto.ec/share/native/libsunec/impl/ec_naf.c
  20. +0 −271 src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h
  21. +0 −642 src/jdk.crypto.ec/share/native/libsunec/impl/ecdecode.c
  22. +0 −733 src/jdk.crypto.ec/share/native/libsunec/impl/ecl-curve.h
  23. +0 −201 src/jdk.crypto.ec/share/native/libsunec/impl/ecl-exp.h
  24. +0 −300 src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h
  25. +0 −454 src/jdk.crypto.ec/share/native/libsunec/impl/ecl.c
  26. +0 −92 src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h
  27. +0 −195 src/jdk.crypto.ec/share/native/libsunec/impl/ecl_curve.c
  28. +0 −1,043 src/jdk.crypto.ec/share/native/libsunec/impl/ecl_gf.c
  29. +0 −362 src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c
  30. +0 −144 src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h
  31. +0 −517 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_192.c
  32. +0 −373 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_224.c
  33. +0 −430 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_256.c
  34. +0 −294 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_384.c
  35. +0 −171 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_521.c
  36. +0 −360 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c
  37. +0 −564 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c
  38. +0 −396 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c
  39. +0 −202 src/jdk.crypto.ec/share/native/libsunec/impl/ecp_mont.c
  40. +0 −61 src/jdk.crypto.ec/share/native/libsunec/impl/logtab.h
  41. +0 −101 src/jdk.crypto.ec/share/native/libsunec/impl/mp_gf2m-priv.h
  42. +0 −603 src/jdk.crypto.ec/share/native/libsunec/impl/mp_gf2m.c
  43. +0 −62 src/jdk.crypto.ec/share/native/libsunec/impl/mp_gf2m.h
  44. +0 −109 src/jdk.crypto.ec/share/native/libsunec/impl/mpi-config.h
  45. +0 −320 src/jdk.crypto.ec/share/native/libsunec/impl/mpi-priv.h
  46. +0 −4,871 src/jdk.crypto.ec/share/native/libsunec/impl/mpi.c
  47. +0 −387 src/jdk.crypto.ec/share/native/libsunec/impl/mpi.h
  48. +0 −218 src/jdk.crypto.ec/share/native/libsunec/impl/mplogic.c
  49. +0 −83 src/jdk.crypto.ec/share/native/libsunec/impl/mplogic.h
  50. +0 −176 src/jdk.crypto.ec/share/native/libsunec/impl/mpmontg.c
  51. +0 −66 src/jdk.crypto.ec/share/native/libsunec/impl/mpprime.h
  52. +0 −538 src/jdk.crypto.ec/share/native/libsunec/impl/oid.c
  53. +0 −179 src/jdk.crypto.ec/share/native/libsunec/impl/secitem.c
  54. +0 −82 src/jdk.crypto.ec/share/native/libsunec/impl/secoidt.h
  55. +2 −28 test/jdk/java/security/KeyAgreement/KeyAgreementTest.java
  56. +2 −2 test/jdk/java/security/KeyAgreement/KeySizeTest.java
  57. +0 −55 test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java
  58. +3 −3 test/jdk/jdk/security/jarsigner/Spec.java
  59. +3 −10 test/jdk/sun/security/ec/ECDSAJavaVerify.java
  60. +6 −6 test/jdk/sun/security/ec/SignatureDigestTruncate.java
  61. +9 −3 test/jdk/sun/security/ec/TestEC.java
  62. BIN test/jdk/sun/security/ec/keystore
  63. BIN test/jdk/sun/security/ec/pkcs12/sect193r1server-rsa1024ca.p12
  64. +3 −3 test/jdk/sun/security/pkcs11/ec/ReadPKCS12.java
  65. +7 −4 test/jdk/sun/security/pkcs11/ec/TestECDH.java
  66. +5 −3 test/jdk/sun/security/pkcs11/ec/TestECDSA.java
  67. +5 −10 test/jdk/sun/security/pkcs11/ec/TestKeyFactory.java
  68. BIN test/jdk/sun/security/pkcs11/ec/pkcs12/sect193r1server-rsa1024ca.p12
  69. BIN test/jdk/sun/security/pkcs11/sslecc/keystore
  70. +2 −6 test/jdk/sun/security/provider/KeyStore/DKSTest.java
  71. +0 −4 test/jdk/sun/security/provider/KeyStore/domains.cfg
  72. +13 −12 test/jdk/sun/security/ssl/CipherSuite/DisabledCurve.java
  73. +3 −11 test/jdk/sun/security/tools/jarsigner/RestrictedAlgo.java
  74. +0 −5 test/jdk/sun/security/tools/keytool/GroupName.java
  75. +0 −4 test/jdk/sun/security/tools/keytool/KeyAlg.java
  76. +2 −5 test/jdk/sun/security/tools/keytool/fakegen/DefaultSignatureAlgorithm.java
  77. +4 −24 test/jdk/sun/security/tools/keytool/fakegen/jdk.crypto.ec/sun/security/ec/ECKeyPairGenerator.java
@@ -242,7 +242,6 @@ HOTSPOT_SETUP_MISC
#
###############################################################################

JDKOPT_DETECT_INTREE_EC
JDKOPT_ENABLE_DISABLE_FAILURE_HANDLER
JDKOPT_ENABLE_DISABLE_GENERATE_CLASSLIST
JDKOPT_EXCLUDE_TRANSLATIONS
@@ -228,23 +228,6 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_JDK_OPTIONS],
])

###############################################################################
#
# Enable or disable the elliptic curve crypto implementation
#
AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
[
AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
ENABLE_INTREE_EC=true
AC_MSG_RESULT([yes])
else
ENABLE_INTREE_EC=false
AC_MSG_RESULT([no])
fi
AC_SUBST(ENABLE_INTREE_EC)
])

AC_DEFUN_ONCE([JDKOPT_SETUP_DEBUG_SYMBOLS],
[
@@ -53,11 +53,6 @@

private static Collection<? extends NamedCurve> specCollection;

// Used by SunECEntries
public static Collection<? extends NamedCurve>getSupportedCurves() {
return specCollection;
}

// Return a NamedCurve for the specified OID/name or null if unknown.
public static NamedCurve lookup(String name) {
NamedCurve spec = oidMap.get(name);
@@ -495,16 +495,7 @@ sun.security.krb5.maxReferrals=5
# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this
# list in any of the disabledAlgorithms properties, add the property name as
# an entry.
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
#jdk.disabled.namedCurves=

#
# Algorithm restrictions for certification path (CertPath) processing
@@ -642,8 +633,7 @@ jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

#
# Legacy algorithms for certification path (CertPath) processing and
@@ -707,7 +697,7 @@ jdk.security.legacyAlgorithms=SHA1, \
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, include jdk.disabled.namedCurves
DSA keySize < 1024

#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
@@ -742,8 +732,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
EC keySize < 224, 3DES_EDE_CBC, anon, NULL

#
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
@@ -169,22 +169,12 @@ private static void validate(ECOperations ops, ECPublicKey key) {
}
byte[] result;
Optional<byte[]> resultOpt = deriveKeyImpl(privateKey, publicKey);
if (resultOpt.isPresent()) {
result = resultOpt.get();
} else {
if (SunEC.isNativeDisabled()) {
NamedCurve privNC = CurveDB.lookup(privateKey.getParams());
NamedCurve pubNC = CurveDB.lookup(publicKey.getParams());
throw new IllegalStateException(
new InvalidAlgorithmParameterException("Legacy SunEC " +
"curve disabled, one or both keys: " +
"Private: " + ((privNC != null) ?
privNC.toString() : " unknown") +
", PublicKey:" + ((pubNC != null) ?
pubNC.toString() : " unknown")));
}
result = deriveKeyNative(privateKey, publicKey);
if (resultOpt.isEmpty()) {
throw new IllegalStateException(
new InvalidAlgorithmParameterException("Curve not supported: " +
publicKey.getParams().toString()));
}
result = resultOpt.get();
publicKey = null;
return result;
}
@@ -263,42 +253,4 @@ protected SecretKey engineGenerateSecret(String algorithm)

return Optional.of(result);
}

private static
byte[] deriveKeyNative(ECPrivateKey privateKey, ECPublicKey publicKey) {

ECParameterSpec params = privateKey.getParams();
byte[] s = privateKey.getS().toByteArray();
byte[] encodedParams = // DER OID
ECUtil.encodeECParameterSpec(null, params);

byte[] publicValue;
if (publicKey instanceof ECPublicKeyImpl) {
ECPublicKeyImpl ecPub = (ECPublicKeyImpl) publicKey;
publicValue = ecPub.getEncodedPublicValue();
} else { // instanceof ECPublicKey
publicValue =
ECUtil.encodePoint(publicKey.getW(), params.getCurve());
}

try {
return deriveKey(s, publicValue, encodedParams);

} catch (GeneralSecurityException e) {
throw new ProviderException("Could not derive key", e);
}
}


/**
* Generates a secret key using the public and private keys.
*
* @param s the private key's S value.
* @param w the public key's W point (in uncompressed form).
* @param encodedParams the curve's DER encoded object identifier.
*
* @return byte[] the secret key.
*/
private static native byte[] deriveKey(byte[] s, byte[] w,
byte[] encodedParams) throws GeneralSecurityException;
}
@@ -466,53 +466,6 @@ private static boolean isCompatible(ECParameterSpec sigParams,
}


private Optional<byte[]> signDigestAvailable(ECPrivateKey privateKey,
byte[] digest, SecureRandom random) throws SignatureException {

ECParameterSpec params = privateKey.getParams();

// seed is the key size + 64 bits
int seedBits = params.getOrder().bitLength() + 64;
Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
if (opsOpt.isEmpty()) {
return Optional.empty();
} else {
byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest,
privateKey, random);
return Optional.of(sig);
}
}

private byte[] signDigestNative(ECPrivateKey privateKey, byte[] digest,
SecureRandom random) throws SignatureException {

byte[] s = privateKey.getS().toByteArray();
ECParameterSpec params = privateKey.getParams();

// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
int orderLength = params.getOrder().bitLength();

// seed is twice the order length (in bytes) plus 1
byte[] seed = new byte[(((orderLength + 7) >> 3) + 1) * 2];

random.nextBytes(seed);

// random bits needed for timing countermeasures
int timingArgument = random.nextInt();
// values must be non-zero to enable countermeasures
timingArgument |= 1;

try {
return signDigest(digest, s, encodedParams, seed,
timingArgument);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not sign data", e);
}

}

// sign the data and return the signature. See JCA doc
@Override
protected byte[] engineSign() throws SignatureException {
@@ -522,21 +475,18 @@ private static boolean isCompatible(ECParameterSpec sigParams,
}

byte[] digest = getDigestValue();
Optional<byte[]> sigOpt = signDigestAvailable(privateKey, digest, random);
byte[] sig;
if (sigOpt.isPresent()) {
sig = sigOpt.get();
} else {
if (SunEC.isNativeDisabled()) {
NamedCurve nc = CurveDB.lookup(privateKey.getParams());
throw new SignatureException(
new InvalidAlgorithmParameterException(
"Legacy SunEC curve disabled: " +
(nc != null ? nc.toString()
: "unknown")));
}
sig = signDigestNative(privateKey, digest, random);
ECParameterSpec params = privateKey.getParams();

// seed is the key size + 64 bits
int seedBits = params.getOrder().bitLength() + 64;
Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
if (opsOpt.isEmpty()) {
throw new SignatureException("Curve not supported: " +
params.toString());
}
byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest, privateKey,
random);

if (p1363Format) {
return sig;
@@ -557,59 +507,14 @@ protected boolean engineVerify(byte[] signature) throws SignatureException {
}

byte[] digest = getDigestValue();
Optional<Boolean> verifyOpt
= verifySignedDigestAvailable(publicKey, sig, digest);

if (verifyOpt.isPresent()) {
return verifyOpt.get();
} else {
if (SunEC.isNativeDisabled()) {
NamedCurve nc = CurveDB.lookup(publicKey.getParams());
throw new SignatureException(
new InvalidAlgorithmParameterException(
"Legacy SunEC curve disabled: " +
(nc != null ? nc.toString()
: "unknown")));
}

byte[] w;
ECParameterSpec params = publicKey.getParams();
// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);

if (publicKey instanceof ECPublicKeyImpl) {
w = ((ECPublicKeyImpl) publicKey).getEncodedPublicValue();
} else { // instanceof ECPublicKey
w = ECUtil.encodePoint(publicKey.getW(), params.getCurve());
}

try {
return verifySignedDigest(sig, digest, w, encodedParams);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not verify signature", e);
}
}
}

private Optional<Boolean> verifySignedDigestAvailable(
ECPublicKey publicKey, byte[] sig, byte[] digestValue) {

ECParameterSpec params = publicKey.getParams();

Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
ECDSAOperations.forParameters(publicKey.getParams());
if (opsOpt.isEmpty()) {
return Optional.empty();
} else {
boolean result = verifySignedDigestImpl(opsOpt.get(), digestValue,
publicKey, sig);
return Optional.of(result);
throw new SignatureException("Curve not supported: " +
publicKey.getParams().toString());
}
}

private boolean verifySignedDigestImpl(ECDSAOperations ops,
byte[] digest, ECPublicKey pub, byte[] sig) {
return ops.verifySignedDigest(digest, sig, pub.getW());
return opsOpt.get().verifySignedDigest(digest, sig, publicKey.getW());
}

// set parameter, not supported. See JCA doc
@@ -657,40 +562,4 @@ protected AlgorithmParameters engineGetParameters() {
throw new ProviderException("Error retrieving EC parameters", e);
}
}

/**
* Signs the digest using the private key.
*
* @param digest the digest to be signed.
* @param s the private key's S value.
* @param encodedParams the curve's DER encoded object identifier.
* @param seed the random seed.
* @param timing When non-zero, the implmentation will use timing
* countermeasures to hide secrets from timing channels. The EC
* implementation will disable the countermeasures when this value is
* zero, because the underlying EC functions are shared by several
* crypto operations, some of which do not use the countermeasures.
* The high-order 31 bits must be uniformly random. The entropy from
* these bits is used by the countermeasures.
*
* @return byte[] the signature.
*/
private static native byte[] signDigest(byte[] digest, byte[] s,
byte[] encodedParams, byte[] seed, int timing)
throws GeneralSecurityException;

/**
* Verifies the signed digest using the public key.
*
* @param signature the signature to be verified. It is encoded
* as a concatenation of the key's R and S values.
* @param digest the digest to be used.
* @param w the public key's W point (in uncompressed form).
* @param encodedParams the curve's DER encoded object identifier.
*
* @return boolean true if the signature is successfully verified.
*/
private static native boolean verifySignedDigest(byte[] signature,
byte[] digest, byte[] w, byte[] encodedParams)
throws GeneralSecurityException;
}

1 comment on commit 0b83fc0

@bridgekeeper

This comment has been minimized.

Copy link

@bridgekeeper bridgekeeper bot commented on 0b83fc0 Sep 25, 2020

Please sign in to comment.