Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
8235710: Remove the legacy elliptic curves
Reviewed-by: xuelei, erikj
  • Loading branch information
Anthony Scarpino committed Sep 25, 2020
1 parent 8239b67 commit 0b83fc0
Show file tree
Hide file tree
Showing 77 changed files with 107 additions and 20,127 deletions.
1 change: 0 additions & 1 deletion make/autoconf/configure.ac
Expand Up @@ -242,7 +242,6 @@ HOTSPOT_SETUP_MISC
#
###############################################################################

JDKOPT_DETECT_INTREE_EC
JDKOPT_ENABLE_DISABLE_FAILURE_HANDLER
JDKOPT_ENABLE_DISABLE_GENERATE_CLASSLIST
JDKOPT_EXCLUDE_TRANSLATIONS
Expand Down
17 changes: 0 additions & 17 deletions make/autoconf/jdk-options.m4
Expand Up @@ -228,23 +228,6 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_JDK_OPTIONS],
])

###############################################################################
#
# Enable or disable the elliptic curve crypto implementation
#
AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
[
AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
ENABLE_INTREE_EC=true
AC_MSG_RESULT([yes])
else
ENABLE_INTREE_EC=false
AC_MSG_RESULT([no])
fi
AC_SUBST(ENABLE_INTREE_EC)
])

AC_DEFUN_ONCE([JDKOPT_SETUP_DEBUG_SYMBOLS],
[
Expand Down
5 changes: 0 additions & 5 deletions src/java.base/share/classes/sun/security/util/CurveDB.java
Expand Up @@ -53,11 +53,6 @@ public class CurveDB {

private static Collection<? extends NamedCurve> specCollection;

// Used by SunECEntries
public static Collection<? extends NamedCurve>getSupportedCurves() {
return specCollection;
}

// Return a NamedCurve for the specified OID/name or null if unknown.
public static NamedCurve lookup(String name) {
NamedCurve spec = oidMap.get(name);
Expand Down
19 changes: 4 additions & 15 deletions src/java.base/share/conf/security/java.security
Expand Up @@ -495,16 +495,7 @@ sun.security.krb5.maxReferrals=5
# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this
# list in any of the disabledAlgorithms properties, add the property name as
# an entry.
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
#jdk.disabled.namedCurves=

#
# Algorithm restrictions for certification path (CertPath) processing
Expand Down Expand Up @@ -642,8 +633,7 @@ jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

#
# Legacy algorithms for certification path (CertPath) processing and
Expand Down Expand Up @@ -707,7 +697,7 @@ jdk.security.legacyAlgorithms=SHA1, \
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, include jdk.disabled.namedCurves
DSA keySize < 1024

#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
Expand Down Expand Up @@ -742,8 +732,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
EC keySize < 224, 3DES_EDE_CBC, anon, NULL

#
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Expand Down
Expand Up @@ -169,22 +169,12 @@ protected byte[] engineGenerateSecret() throws IllegalStateException {
}
byte[] result;
Optional<byte[]> resultOpt = deriveKeyImpl(privateKey, publicKey);
if (resultOpt.isPresent()) {
result = resultOpt.get();
} else {
if (SunEC.isNativeDisabled()) {
NamedCurve privNC = CurveDB.lookup(privateKey.getParams());
NamedCurve pubNC = CurveDB.lookup(publicKey.getParams());
throw new IllegalStateException(
new InvalidAlgorithmParameterException("Legacy SunEC " +
"curve disabled, one or both keys: " +
"Private: " + ((privNC != null) ?
privNC.toString() : " unknown") +
", PublicKey:" + ((pubNC != null) ?
pubNC.toString() : " unknown")));
}
result = deriveKeyNative(privateKey, publicKey);
if (resultOpt.isEmpty()) {
throw new IllegalStateException(
new InvalidAlgorithmParameterException("Curve not supported: " +
publicKey.getParams().toString()));
}
result = resultOpt.get();
publicKey = null;
return result;
}
Expand Down Expand Up @@ -263,42 +253,4 @@ Optional<byte[]> deriveKeyImpl(ECPrivateKey priv, ECPublicKey pubKey) {

return Optional.of(result);
}

private static
byte[] deriveKeyNative(ECPrivateKey privateKey, ECPublicKey publicKey) {

ECParameterSpec params = privateKey.getParams();
byte[] s = privateKey.getS().toByteArray();
byte[] encodedParams = // DER OID
ECUtil.encodeECParameterSpec(null, params);

byte[] publicValue;
if (publicKey instanceof ECPublicKeyImpl) {
ECPublicKeyImpl ecPub = (ECPublicKeyImpl) publicKey;
publicValue = ecPub.getEncodedPublicValue();
} else { // instanceof ECPublicKey
publicValue =
ECUtil.encodePoint(publicKey.getW(), params.getCurve());
}

try {
return deriveKey(s, publicValue, encodedParams);

} catch (GeneralSecurityException e) {
throw new ProviderException("Could not derive key", e);
}
}


/**
* Generates a secret key using the public and private keys.
*
* @param s the private key's S value.
* @param w the public key's W point (in uncompressed form).
* @param encodedParams the curve's DER encoded object identifier.
*
* @return byte[] the secret key.
*/
private static native byte[] deriveKey(byte[] s, byte[] w,
byte[] encodedParams) throws GeneralSecurityException;
}
161 changes: 15 additions & 146 deletions src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java
Expand Up @@ -466,53 +466,6 @@ private byte[] signDigestImpl(ECDSAOperations ops, int seedBits,
}


private Optional<byte[]> signDigestAvailable(ECPrivateKey privateKey,
byte[] digest, SecureRandom random) throws SignatureException {

ECParameterSpec params = privateKey.getParams();

// seed is the key size + 64 bits
int seedBits = params.getOrder().bitLength() + 64;
Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
if (opsOpt.isEmpty()) {
return Optional.empty();
} else {
byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest,
privateKey, random);
return Optional.of(sig);
}
}

private byte[] signDigestNative(ECPrivateKey privateKey, byte[] digest,
SecureRandom random) throws SignatureException {

byte[] s = privateKey.getS().toByteArray();
ECParameterSpec params = privateKey.getParams();

// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
int orderLength = params.getOrder().bitLength();

// seed is twice the order length (in bytes) plus 1
byte[] seed = new byte[(((orderLength + 7) >> 3) + 1) * 2];

random.nextBytes(seed);

// random bits needed for timing countermeasures
int timingArgument = random.nextInt();
// values must be non-zero to enable countermeasures
timingArgument |= 1;

try {
return signDigest(digest, s, encodedParams, seed,
timingArgument);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not sign data", e);
}

}

// sign the data and return the signature. See JCA doc
@Override
protected byte[] engineSign() throws SignatureException {
Expand All @@ -522,21 +475,18 @@ protected byte[] engineSign() throws SignatureException {
}

byte[] digest = getDigestValue();
Optional<byte[]> sigOpt = signDigestAvailable(privateKey, digest, random);
byte[] sig;
if (sigOpt.isPresent()) {
sig = sigOpt.get();
} else {
if (SunEC.isNativeDisabled()) {
NamedCurve nc = CurveDB.lookup(privateKey.getParams());
throw new SignatureException(
new InvalidAlgorithmParameterException(
"Legacy SunEC curve disabled: " +
(nc != null ? nc.toString()
: "unknown")));
}
sig = signDigestNative(privateKey, digest, random);
ECParameterSpec params = privateKey.getParams();

// seed is the key size + 64 bits
int seedBits = params.getOrder().bitLength() + 64;
Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
if (opsOpt.isEmpty()) {
throw new SignatureException("Curve not supported: " +
params.toString());
}
byte[] sig = signDigestImpl(opsOpt.get(), seedBits, digest, privateKey,
random);

if (p1363Format) {
return sig;
Expand All @@ -557,59 +507,14 @@ protected boolean engineVerify(byte[] signature) throws SignatureException {
}

byte[] digest = getDigestValue();
Optional<Boolean> verifyOpt
= verifySignedDigestAvailable(publicKey, sig, digest);

if (verifyOpt.isPresent()) {
return verifyOpt.get();
} else {
if (SunEC.isNativeDisabled()) {
NamedCurve nc = CurveDB.lookup(publicKey.getParams());
throw new SignatureException(
new InvalidAlgorithmParameterException(
"Legacy SunEC curve disabled: " +
(nc != null ? nc.toString()
: "unknown")));
}

byte[] w;
ECParameterSpec params = publicKey.getParams();
// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);

if (publicKey instanceof ECPublicKeyImpl) {
w = ((ECPublicKeyImpl) publicKey).getEncodedPublicValue();
} else { // instanceof ECPublicKey
w = ECUtil.encodePoint(publicKey.getW(), params.getCurve());
}

try {
return verifySignedDigest(sig, digest, w, encodedParams);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not verify signature", e);
}
}
}

private Optional<Boolean> verifySignedDigestAvailable(
ECPublicKey publicKey, byte[] sig, byte[] digestValue) {

ECParameterSpec params = publicKey.getParams();

Optional<ECDSAOperations> opsOpt =
ECDSAOperations.forParameters(params);
ECDSAOperations.forParameters(publicKey.getParams());
if (opsOpt.isEmpty()) {
return Optional.empty();
} else {
boolean result = verifySignedDigestImpl(opsOpt.get(), digestValue,
publicKey, sig);
return Optional.of(result);
throw new SignatureException("Curve not supported: " +
publicKey.getParams().toString());
}
}

private boolean verifySignedDigestImpl(ECDSAOperations ops,
byte[] digest, ECPublicKey pub, byte[] sig) {
return ops.verifySignedDigest(digest, sig, pub.getW());
return opsOpt.get().verifySignedDigest(digest, sig, publicKey.getW());
}

// set parameter, not supported. See JCA doc
Expand Down Expand Up @@ -657,40 +562,4 @@ protected AlgorithmParameters engineGetParameters() {
throw new ProviderException("Error retrieving EC parameters", e);
}
}

/**
* Signs the digest using the private key.
*
* @param digest the digest to be signed.
* @param s the private key's S value.
* @param encodedParams the curve's DER encoded object identifier.
* @param seed the random seed.
* @param timing When non-zero, the implmentation will use timing
* countermeasures to hide secrets from timing channels. The EC
* implementation will disable the countermeasures when this value is
* zero, because the underlying EC functions are shared by several
* crypto operations, some of which do not use the countermeasures.
* The high-order 31 bits must be uniformly random. The entropy from
* these bits is used by the countermeasures.
*
* @return byte[] the signature.
*/
private static native byte[] signDigest(byte[] digest, byte[] s,
byte[] encodedParams, byte[] seed, int timing)
throws GeneralSecurityException;

/**
* Verifies the signed digest using the public key.
*
* @param signature the signature to be verified. It is encoded
* as a concatenation of the key's R and S values.
* @param digest the digest to be used.
* @param w the public key's W point (in uncompressed form).
* @param encodedParams the curve's DER encoded object identifier.
*
* @return boolean true if the signature is successfully verified.
*/
private static native boolean verifySignedDigest(byte[] signature,
byte[] digest, byte[] w, byte[] encodedParams)
throws GeneralSecurityException;
}

1 comment on commit 0b83fc0

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented on 0b83fc0 Sep 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.