diff --git a/src/share/classes/sun/security/pkcs11/Config.java b/src/share/classes/sun/security/pkcs11/Config.java index dbed2cf8f4c9161d5d2bf0022e28c227a9c4ba35..08cb6de40c9922b495f863d904bcbb6abe7c8911 100644 --- a/src/share/classes/sun/security/pkcs11/Config.java +++ b/src/share/classes/sun/security/pkcs11/Config.java @@ -192,6 +192,11 @@ final class Config { // works only for NSS providers created via the Secmod API private boolean nssUseSecmodTrust = false; + // Flag to indicate whether the X9.63 encoding for EC points shall be used + // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString + // (false). + private boolean useEcX963Encoding = false; + private Config(String filename, InputStream in) throws IOException { if (in == null) { if (filename.startsWith("--")) { @@ -320,6 +325,10 @@ final class Config { return nssUseSecmodTrust; } + boolean getUseEcX963Encoding() { + return useEcX963Encoding; + } + private static String expand(final String s) throws IOException { try { return PropertyExpander.expand(s); @@ -440,6 +449,8 @@ final class Config { parseNSSArgs(word); } else if (word.equals("nssUseSecmodTrust")) { nssUseSecmodTrust = parseBooleanEntry(word); + } else if (word.equals("useEcX963Encoding")) { + useEcX963Encoding = parseBooleanEntry(word); } else { throw new ConfigurationException ("Unknown keyword '" + word + "', line " + st.lineno()); diff --git a/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java b/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java index d44231a6bf28bed9b47c5f32cd5b3aa9236c822c..ef6cf3a1ef573f88857e8191fa7901504c00ea20 100644 --- a/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java +++ b/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java @@ -203,14 +203,20 @@ final class P11ECKeyFactory extends P11KeyFactory { private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception { byte[] encodedParams = ECParameters.encodeParameters(params); - byte[] encodedPoint = null; - DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, - ECParameters.encodePoint(point, params.getCurve())); + byte[] encodedPoint = + ECParameters.encodePoint(point, params.getCurve()); - try { - encodedPoint = pkECPoint.toByteArray(); - } catch (IOException e) { - throw new IllegalArgumentException("Could not DER encode point", e); + // Check whether the X9.63 encoding of an EC point shall be wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { + try { + encodedPoint = + new DerValue(DerValue.tag_OctetString, encodedPoint) + .toByteArray(); + } catch (IOException e) { + throw new + IllegalArgumentException("Could not DER encode point", e); + } } CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { diff --git a/src/share/classes/sun/security/pkcs11/P11Key.java b/src/share/classes/sun/security/pkcs11/P11Key.java index 54ccd3213c2272c73c808c1dfb19cd6d334989b5..bbce8982e907769f09913ba16c4403f898a386be 100644 --- a/src/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/share/classes/sun/security/pkcs11/P11Key.java @@ -1028,28 +1028,21 @@ abstract class P11Key implements Key { try { params = P11ECKeyFactory.decodeParameters (attributes[1].getByteArray()); - - /* - * An uncompressed EC point may be in either of two formats. - * First try the OCTET STRING encoding: - * 04 04 - * - * Otherwise try the raw encoding: - * 04 - */ byte[] ecKey = attributes[0].getByteArray(); - try { + // Check whether the X9.63 encoding of an EC point is wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { DerValue wECPoint = new DerValue(ecKey); - if (wECPoint.getTag() != DerValue.tag_OctetString) - throw new IOException("Unexpected tag: " + - wECPoint.getTag()); + if (wECPoint.getTag() != DerValue.tag_OctetString) { + throw new IOException("Could not DER decode EC point." + + " Unexpected tag: " + wECPoint.getTag()); + } w = P11ECKeyFactory.decodePoint (wECPoint.getDataBytes(), params.getCurve()); - } catch (IOException e) { - // Failover + } else { w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); } diff --git a/src/share/lib/security/sunpkcs11-solaris.cfg b/src/share/lib/security/sunpkcs11-solaris.cfg index daf03a447a3af5f918116f7e2cc51019223b7fdc..3b3f7fa82f942cd7902707326cc9f165022aefcc 100644 --- a/src/share/lib/security/sunpkcs11-solaris.cfg +++ b/src/share/lib/security/sunpkcs11-solaris.cfg @@ -11,6 +11,9 @@ library = /usr/lib/$ISA/libpkcs11.so handleStartupErrors = ignoreAll +# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString). +useEcX963Encoding = true + attributes = compatibility disabledMechanisms = { diff --git a/test/ProblemList.txt b/test/ProblemList.txt index c2fd9fc0cfc1e64a11f55082dcea808621f4ec8d..6097bcf7b979c5879ade15d19dd6fd5070c04b73 100644 --- a/test/ProblemList.txt +++ b/test/ProblemList.txt @@ -517,9 +517,6 @@ sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java generic-all # 7079203 sun/security/tools/keytool/printssl.sh fails on solaris with timeout sun/security/tools/keytool/printssl.sh solaris-all -# 7054637 -sun/security/tools/jarsigner/ec.sh solaris-all - # 7081817 sun/security/provider/certpath/X509CertPath/IllegalCertiticates.java generic-all