Uploaded image for project: 'OpenSAML - Java'
  1. OpenSAML - Java
  2. OSJ-319

Test failure: Legacy SunEC curve disabled under Java 15

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:

      Java 15 EA 28

      Description

      [ERROR] org.opensaml.security.crypto.KeySupportTest.testKeyLength  Time elapsed: 1.493 s  <<< FAILURE!
      java.security.ProviderException: Legacy SunEC curve disabled:  secp112r1 (1.3.132.0.6)
      	at org.opensaml.security.crypto.KeySupportTest.testKeyLength(KeySupportTest.java:242)

      Result of https://bugs.openjdk.java.net/browse/JDK-8237219

      Docs:

      The SunEC crypto provider no longer advertises curves that are not implemented using modern formulas and techniques. Arbitrary and named curves, listed at the bottom of this note, are disabled. Commonly used named curves, secp256r1, secp384r1, secp521r1, x25519, and x448, remain supported and enabled by SunEC as they use modern techniques. Applications that still require the disabled curves from the SunEC provider can re-enable them by setting the System property jdk.sunec.disableNative to false, for example: java -Djdk.sunec.disableNative=false .... If this property is set to any other value, the curves will remain disabled. Exceptions thrown when the curves are disabled will contain the message "Legacy SunEC curve disabled", followed by the name of the curve. Methods affected by the change are KeyPair.generateKeyPair(),KeyAgreement.generateSecret(), Signature.verify(), and Signature.sign(). These methods throw the same exception class as they had before if the curve was not supported.

      The following are the disabled curves: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1 brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              putmanb@shibboleth.net Brent Putman
              Reporter:
              ian@iay.org.uk Ian Young
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: