Hi Valerie, these tests were initally meant for the new curves in SunEC, but the SunEC tests are using the PKCS#11 tests. Even though I made these known answer tests for SunEC, I think it might be a good idea not to limit them to SunEC but run them on tests using TestECDH with any provider, which claims to support these curves.
The supported/unsupported statements come from getSupportedECParameterSpec in PKCS11Test and depend on the exception a provider throws. I moved that code to this method from the getKnowCurves method, to check if one particular curve is available. So, yes, I think it lack of support in these providers, and the log message depends on the exception type and the execptions message. I executed the with an unpatched and a patched build of the OpenJDK. In both cases it was the SunEC provider. The output for the unpatched reference build for sun.security.ec.TestEC using sun.security.pkcs11.ec.TestECDH: ... >Running tests with SunEC provider... > >libsoftokn3 version = 3.16. ECC Basic. >Testing using parameters secp192r1 [NIST P-192, X9.62 prime192v1] >(1.2.840.10045.3.1.1)... >Testing using parameters sect163r2 [NIST B-163] (1.3.132.0.15)... > brainpoolP256r1: Unsupported: Key Length: Unsupported curve: brainpoolP256r1 > (1.3.36.3.3.2.8.1.1.7) > brainpoolP320r1: Unsupported: Key Length: Unsupported curve: brainpoolP320r1 > (1.3.36.3.3.2.8.1.1.9) > brainpoolP384r1: Unsupported: Key Length: Unsupported curve: brainpoolP384r1 > (1.3.36.3.3.2.8.1.1.11) > brainpoolP512r1: Unsupported: Key Length: Unsupported curve: brainpoolP512r1 > (1.3.36.3.3.2.8.1.1.13) >OK ... and for the patched build: ... >Running tests with SunEC provider... > >libsoftokn3 version = 3.16. ECC Basic. >Testing using parameters secp192r1 [NIST P-192, X9.62 prime192v1] >(1.2.840.10045.3.1.1)... >Testing using parameters sect163r2 [NIST B-163] (1.3.132.0.15)... > brainpoolP256r1: Supported >Testing using parameters brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)... > brainpoolP320r1: Supported >Testing using parameters brainpoolP320r1 (1.3.36.3.3.2.8.1.1.9)... > brainpoolP384r1: Supported >Testing using parameters brainpoolP384r1 (1.3.36.3.3.2.8.1.1.11)... > brainpoolP512r1: Supported >Testing using parameters brainpoolP512r1 (1.3.36.3.3.2.8.1.1.13)... >OK ... When running sun.security.pkcs11.ec.TestECDH directly, I get the following: ... >libsoftokn3 version = 3.16. ECC Basic. >Beginning test run TestECDH... >Running test with provider SunPKCS11-NSS (security manager enabled) ... >NSS only supports Basic ECC. Skipping.. >Completed test with provider SunPKCS11-NSS (28 ms). ... Regards, Tobias -----Ursprüngliche Nachricht----- > Von:Valerie Peng <valerie.p...@oracle.com> > Gesendet: Fre 9 Februar 2018 02:03 > An: Tobias Wagner <tobias.wag...@n-design.de>; security-dev@openjdk.java.net > Betreff: Re: [PATCH]: Support for brainpool curves from CurveDB in SunEC > > Hi Tobias, > > Just curious, which PKCS11 library did you use to test your patch? After > I applied your patch and ran the regression tests, I noticed that both > the Solaris PKCS11 library and NSS skipped testing Brainpool curves with > different error codes which may be due to lack of support... > > Regards, > Valerie >
