7099228: Use a PKCS11 config attribute to control encoding of an EC point

Reviewed-by: valeriep, mullan

src/share/classes/sun/security/pkcs11/Config.java

@@ -192,6 +192,11 @@ final class Config {
     // works only for NSS providers created via the Secmod API
     private boolean nssUseSecmodTrust = false;
 
+    // Flag to indicate whether the X9.63 encoding for EC points shall be used
+    // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString
+    // (false).
+    private boolean useEcX963Encoding = false;
+
     private Config(String filename, InputStream in) throws IOException {
         if (in == null) {
             if (filename.startsWith("--")) {
@@ -320,6 +325,10 @@ final class Config {
         return nssUseSecmodTrust;
     }
 
+    boolean getUseEcX963Encoding() {
+        return useEcX963Encoding;
+    }
+
     private static String expand(final String s) throws IOException {
         try {
             return PropertyExpander.expand(s);
@@ -440,6 +449,8 @@ final class Config {
                 parseNSSArgs(word);
             } else if (word.equals("nssUseSecmodTrust")) {
                 nssUseSecmodTrust = parseBooleanEntry(word);
+            } else if (word.equals("useEcX963Encoding")) {
+                useEcX963Encoding = parseBooleanEntry(word);
             } else {
                 throw new ConfigurationException
                         ("Unknown keyword '" + word + "', line " + st.lineno());

src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java

@@ -203,14 +203,20 @@ final class P11ECKeyFactory extends P11KeyFactory {
 
     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
         byte[] encodedParams = ECParameters.encodeParameters(params);
-        byte[] encodedPoint = null;
-        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
-            ECParameters.encodePoint(point, params.getCurve()));
+        byte[] encodedPoint =
+            ECParameters.encodePoint(point, params.getCurve());
 
+        // Check whether the X9.63 encoding of an EC point shall be wrapped
+        // in an ASN.1 OCTET STRING
+        if (!token.config.getUseEcX963Encoding()) {
             try {
-            encodedPoint = pkECPoint.toByteArray();
+                encodedPoint =
+                    new DerValue(DerValue.tag_OctetString, encodedPoint)
+                        .toByteArray();
             } catch (IOException e) {
-            throw new IllegalArgumentException("Could not DER encode point", e);
+                throw new
+                    IllegalArgumentException("Could not DER encode point", e);
+            }
         }
 
         CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {

src/share/classes/sun/security/pkcs11/P11Key.java

@@ -1028,28 +1028,21 @@ abstract class P11Key implements Key {
             try {
                 params = P11ECKeyFactory.decodeParameters
                             (attributes[1].getByteArray());
-
-                /*
-                 * An uncompressed EC point may be in either of two formats.
-                 * First try the OCTET STRING encoding:
-                 *   04 <length> 04 <X-coordinate> <Y-coordinate>
-                 *
-                 * Otherwise try the raw encoding:
-                 *   04 <X-coordinate> <Y-coordinate>
-                 */
                 byte[] ecKey = attributes[0].getByteArray();
 
-                try {
+                // Check whether the X9.63 encoding of an EC point is wrapped
+                // in an ASN.1 OCTET STRING
+                if (!token.config.getUseEcX963Encoding()) {
                     DerValue wECPoint = new DerValue(ecKey);
-                    if (wECPoint.getTag() != DerValue.tag_OctetString)
-                        throw new IOException("Unexpected tag: " +
-                            wECPoint.getTag());
 
+                    if (wECPoint.getTag() != DerValue.tag_OctetString) {
+                        throw new IOException("Could not DER decode EC point." +
+                            " Unexpected tag: " + wECPoint.getTag());
+                    }
                     w = P11ECKeyFactory.decodePoint
                         (wECPoint.getDataBytes(), params.getCurve());
 
-                } catch (IOException e) {
-                    // Failover
+                } else {
                     w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve());
                 }
 

src/share/lib/security/sunpkcs11-solaris.cfg

@@ -11,6 +11,9 @@ library = /usr/lib/$ISA/libpkcs11.so
 
 handleStartupErrors = ignoreAll
 
+# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString).
+useEcX963Encoding = true
+
 attributes = compatibility
 
 disabledMechanisms = {

test/ProblemList.txt

@@ -517,9 +517,6 @@ sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java       generic-all
 # 7079203 sun/security/tools/keytool/printssl.sh fails on solaris with timeout
 sun/security/tools/keytool/printssl.sh                          solaris-all
 
-# 7054637
-sun/security/tools/jarsigner/ec.sh                             solaris-all
-
 # 7081817
 sun/security/provider/certpath/X509CertPath/IllegalCertiticates.java    generic-all