Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Test failure: Legacy SunEC curve disabled under Java 15

Description

Result of https://bugs.openjdk.java.net/browse/JDK-8237219

Docs:

The SunEC crypto provider no longer advertises curves that are not implemented using modern formulas and techniques. Arbitrary and named curves, listed at the bottom of this note, are disabled. Commonly used named curves, secp256r1, secp384r1, secp521r1, x25519, and x448, remain supported and enabled by SunEC as they use modern techniques. Applications that still require the disabled curves from the SunEC provider can re-enable them by setting the System property jdk.sunec.disableNative to false, for example: java -Djdk.sunec.disableNative=false .... If this property is set to any other value, the curves will remain disabled. Exceptions thrown when the curves are disabled will contain the message "Legacy SunEC curve disabled", followed by the name of the curve. Methods affected by the change are KeyPair.generateKeyPair(),KeyAgreement.generateSecret(), Signature.verify(), and Signature.sign(). These methods throw the same exception class as they had before if the curve was not supported.

The following are the disabled curves: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1 brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Environment

Java 15 EA 28

Activity

Show:

Brent Putman September 17, 2020 at 11:34 PM

This was an easy fix.  Just specified key lengths that correspond to the supported curves and that works fine.  Turns out the 571 bit was also broken later in the test.  So now we do 256, 384, 521.

Fixed in 39bc2c488c1957b461bbd576e0a89073bc31cbd2.

(I think the simple way we're using KeyGenerator here just gives you a supported curve that matches the requested length.  I assume there is way to init that to use a specific named curve, but since this is just a test and we don't generally do keypair generation this way, I'll leave that to another day...)

Ian Young June 22, 2020 at 12:43 PM

Note that Rod's commit 471a7c436904fb5435d25b412cd9a45504b5323f resolving also disables this test, but that was an accidental check-in and isn't intended as the resolution of this issue.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Components

Affects versions

Created June 19, 2020 at 10:04 AM
Updated September 18, 2020 at 1:56 PM
Resolved September 17, 2020 at 11:34 PM
Configure