ng HSMs as
far as I can see. ECC is rolling out pretty wide in europe now with new
electronic passports and other ecc cards.
So getting this fixed would be quite welcome, it's a small fix. I've
tested it on SafeNet HSMs myself right now.
Kind regards,
Tomas Gustavsson
PrimeKey Soluti
Andrew John Hughes wrote:
> 2009/10/6 Tomas Gustavsson :
>> Hi Andrew,
>>
>> I guess no bug Id was created after all.
>> The issue is that the pkcs#11 library returns a tag-length-value
>> encoding for an EC public key, but the Sun provider expects something
&g
Sweet! Let me know if you need any help testing. I'm mainly running on
Ubuntu 64bit, but have access to others as well.
Regards,
Tomas
Vincent Ryan wrote:
>
> Tomas Gustavsson wrote:
>> Andrew John Hughes wrote:
>>> 2009/10/6 Tomas Gustavsson :
>>>> Hi A
un Contribution
Agreement".
Andrew John Hughes wrote:
> 2009/10/5 Tomas Gustavsson :
>> Hi Vincent and Brad,
>>
>> I'm not sure how things are at Sun currently. We work with Sun here in
>> Sweden so we've heard a bit about wait with the Oracle story.
>>
Here is another reference to this bug:
http://forums.sun.com/thread.jspa?messageID=10270927
Regards,
Tomas
Andrew John Hughes wrote:
> 2009/10/5 Tomas Gustavsson :
>> Hi Vincent and Brad,
>>
>> I'm not sure how things are at Sun currently. We work with Sun here in
Hi,
I'm wondering if there is any plans to support the brainpool EC curves
(http://www.ecc-brainpool.org/) in openjdk (including the p11 provider)?
These curves are standardized and are being used in a lot of ePassport
deployments in the EU.
Kind regards,
Tomas Gustavsson
PrimeKey Solutions AB
Hi again :-)
I'm just wondering if there are any plans to support the RSAWithMGF1
signature algorithm in the pkcs11 provider?
There is already support in the JDK for it, just not through pkcs11.
Kind regards,
Tomas Gustavsson
PrimeKey Solutions AB
Hi,
I found this by for Elliptic curve crypto:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6738532
It's quite old and there seems to ba a quite easy resolution to the bug
(second suggested solutions).
Any plans to fix it?
Cheers,
Tomas
#Using%20EC%20keys.
This howto naturally includes patching ECParameters to enable this code.
It seems to work just fine. Does anyone know why this code is supposed
to be incomplete? And what would it take to get it enabled in JDK so we
don't have to patch the jdk?
Kind regards,
Tomas Gusta
I'll second this request. This is a critical patch and many production
installations have to live with this manually patched now.
I know of no pkcs11 implementation that works with the current code.
Regards,
Tomas Gustavsson
PrimeKey Solutions AB
On Wed, 20 Jan 2010, Michael StJohns
Wonderful! Thanks!
Cheers,
Tomas
Vincent Ryan wrote:
I hear ya. Sorry for the delay on this. I'll push the fix for OpenJDK today.
On 21/01/2010 07:44, Tomas Gustavsson wrote:
Now it has one more vote.
/Tomas
Andrew John Hughes wrote:
2010/1/20 Tomas Gustavsson :
I'll s
itted this is because I submitted a
>>>>>>>>>> different
>>>>>>>>>> EC fix https://bugs.openjdk.java.net/show_bug.cgi?id=100048 per
>>>>>>>>>> the
>
> Mike
>
>
>
>
>> On 21/01/20
Now it has one more vote.
/Tomas
Andrew John Hughes wrote:
2010/1/20 Tomas Gustavsson :
I'll second this request. This is a critical patch and many production
installations have to live with this manually patched now.
I know of no pkcs11 implementation that works with the current
Slightly off topic.
Something I would like to see is API support for setting aliases when
using the KeyPairGenerator. This is due to the fact that many HSMs do
not allow changing an alias of private keys after they have been
generated. Since the key pair generator sets a blank alias when using
t; Thanks,
> Valerie
>
> On 03/26/10 00:05, Tomas Gustavsson wrote:
>>
>> Slightly off topic.
>> Something I would like to see is API support for setting aliases when
>> using the KeyPairGenerator. This is due to the fact that many HSMs do
>> not allow changi
?
Thanks,
Valerie
On 03/26/10 00:05, Tomas Gustavsson wrote:
Slightly off topic.
Something I would like to see is API support for setting aliases when
using the KeyPairGenerator. This is due to the fact that many HSMs do
not allow changing an alias of private keys after they have been
generated
what's going on and make further comments
tomorrow.
Mike
At 03:26 AM 3/31/2010, Tomas Gustavsson wrote:
Hi,
Sorry if I misunderstood you. That is actually exactly how we do it,
1. Use KeyPairGenerator with P11 provider to generate key pair.
2. Create a keystore with the P11 prov
If we need it it's usually for all keys, both RSA and EC.
Cheers,
Tomas
"Michael StJohns" wrote:
>At 04:34 AM 4/19/2010, Tomas Gustavsson wrote:
>
>>Hi,
>>Sorry being late, I was away on vacation.
>>
>>Yes in most cases we do use a custom PKCS11
olves your problem?
Valerie
On 04/19/10 08:08, Tomas Gustavsson wrote:
If we need it it's usually for all keys, both RSA and EC.
Cheers,
Tomas
"Michael StJohns" wrote:
At 04:34 AM 4/19/2010, Tomas Gustavsson wrote:
Hi,
Sorry being late, I was away on vacation.
Yes in most
Hi,
The PKCS#11 provider currently does not support SHA224WithECDSA,
although this is becoming a popular algorithm.
I have hacked it myself to support this and the patch is basically
trivial. Is it possible to get this support in the JDK?
It requires only trivial modifications to AgorithmId.
>
> A quick look at the current JDK7 has support for SHA224withECDSA in
> AlgorithmId.java already...
>
> Mike
>
>
>
> At 12:37 AM 8/26/2010, Tomas Gustavsson wrote:
>
>> Hi,
>>
>> The PKCS#11 provider currently does not support SHA224WithE
Hi,
What is the master issue tracker for OpenJDK these days?
We have reported https://bugs.openjdk.java.net/show_bug.cgi?id=100162
Which is closed referencing a "sun bug" id. Is the oracle tracker (which
was off line for a long time) the main issue tracker for OpenJDK still?
Che
/view_bug.do?bug_id=7007966
regards,
Sean.
[1] https://blogs.oracle.com/darcy/entry/milestone_jira_system_of_record
On 27/05/13 09:31, Tomas Gustavsson wrote:
Hi,
What is the master issue tracker for OpenJDK these days?
We have reported https://bugs.openjdk.java.net/show_bug.cgi?id=100162
Which is
It was at some point common to require digitalSignature. Many years ago
when we developed support for OCSP in EJBCA, Mozilla browsers would not
accept OCSP responses with only keyCertSign and crlSign.
DigitalSignature was needed as well. So at least it was common behaviour
some years ago.
I
+1 for this.
On 2015-09-17 19:53, Sean Mullan wrote:
On 08/19/2015 05:48 PM, Jiri Stary wrote:
Hello,
do you plan to support brainpool curves for TLS in Java 9 (RFC 7027) ?
There is no plan to support it in 9. There is an open RFE for supporting
brainpool in JCE: https://bugs.openjdk.java.n
I don't see any ECC algorithms. These are in wide use today to say the
least. And will be so even more tomorrow (i.e. when Java SE 7 is out you
can not live without it).
Regards,
Tomas
On 12/15/2010 04:11 PM, Sean Mullan wrote:
Hello,
Currently, the Java security APIs do not specify algori
--Sean
>
> On 12/16/2010 09:40 AM, Tomas Gustavsson wrote:
>>
>> I don't see any ECC algorithms. These are in wide use today to say the
>> least. And will be so even more tomorrow (i.e. when Java SE 7 is out you
>> can not live without it).
>>
>> Reg
Now SE6 u24 is out and still no PKCS#11 ECC bugfix in Oracle JDK. What's
up? It's been in OpenJDK for quite some time now.
Cheers,
Tomas
Hi,
(changed subject as to not mess up review threads).
Just a question weather this NSA Suite B effort will mean that some
attention will be given to ECC ciphers and PKCS#11 in JDK 7?
We have a few fix requests submitted in this area.
Regards,
Tomas
On 04/07/2011 06:46 AM, Brad Wetmore w
st did was just to provide API support for GCM (and later CCM,
likely in 8).
We're really ramping down for the JDK 7 release, and I don't know what
Vinnie/Valerie have in mind for the remaining time.
Brad
On 4/27/2011 1:34 AM, Tomas Gustavsson wrote:
Hi,
(changed subject as to not me
Will there ever be a pkcs11 for windows-x64?
Cheers,
Tomas
On 10/31/2011 11:33 PM, Valerie (Yu-Ching) Peng wrote:
> Looks good to me.
> Valerie
>
> On 10/31/11 14:19, Brad Wetmore wrote:
>>
>> Hi Valerie,
>>
>> http://cr.openjdk.java.net/~wetmore/7053252/
>>
>> Review 7053252: New regression t
Will there ever be a pkcs11 for windows-x64?
Cheers,
Tomas
On 10/31/2011 11:33 PM, Valerie (Yu-Ching) Peng wrote:
> Looks good to me.
> Valerie
>
> On 10/31/11 14:19, Brad Wetmore wrote:
>>
>> Hi Valerie,
>>
>> http://cr.openjdk.java.net/~wetmore/7053252/
>>
>> Review 7053252: New regression t
Cool patches! Everything we've been looking for.
There should be a few patches from us in the issue tracker for
SHA224WithECDSA and some other ECDSA related stuff.
Cheers,
Tomas
On 12/22/2011 11:41 PM, mark.reinh...@oracle.com wrote:
> Posted: http://openjdk.java.net/jeps/131
>
> - Mark
Hi,
> Maybe its time to provide a PKCS11AttributeSpec of some sort for key
> creation and for looking things up? The current model is literally
> 12-15 years old AFAICT.
I just though I'd second this, albeit late. We're seing the current
PKCS#11 Provider model break down with some new HSMs ou
Solutions AB
Lundagatan 16, 171 63 Solna, Sweden
Mob: +46 (0)707421096
Internet: www.primekey.se
Twitter: twitter.com/primekeyPKI
**
On 2015-09-30 14:41, Laumann Andreas wrote:
Am Mittwoch, den 23.09.2015, 17:27 +0200 schrieb Tomas Gustavsson:
+1 for this.
+1 also from my side
Sorry for jumping in :-)
Imho the P11 layer always needs attention. To work properly we're
relying on some patches, where parts was recently merged into OpenJDK.
We just started testing the Amazon CloudHSM, and that requires changes
to SunPKCS11 as well to work. Not always bad in SunPKCS11 as som
xample
reverting back to the old behavior when these were ignored.
Regards,
Tomas Gustavsson
--
**
PrimeKey Solutions AB
Lundagatan 16, 171 63 Solna, Sweden
Mob: +46 (0)707421096
Internet: www.primekey.se
Twitter: twitter.com/primekeyPKI
**
yLen != -1) && (keySize < minKeyLen)) {
>> keySize = minKeyLen;
>> }
>> if ((maxKeyLen != -1) && (maxKeyLen < minKeyLen)) {
>> maxKeyLen = minKeyLen;
>> }
>> if ((maxKeyLen != -1) && (keySize > maxKeyLen)) {
>> keySize = maxKeyLen;
>> }
>>
>> 2. Allow to ignore checking of maxKeyLen by some means, i.e. allow to
>> ignore checking against C_GetMechanismInfo if you know that the HSM does
>> not provide sane values. I.e. an environment variable for example
>> reverting back to the old behavior when these were ignored.
>>
>> Regards,
>> Tomas Gustavsson
>>
>
ack is always welcomed.
>
> What do you mean with "more flexibility"?
>
> --
> [1]
> - http://mail.openjdk.java.net/pipermail/security-dev/2017-October/016400.html
>
> On Wed, Jan 24, 2018 at 8:06 AM, Andrew Haley <mailto:a...@redhat.com>> wrote:
>
Just FYI. SoftHSM2 from the OpenDNSSec project is a good P11 to test
with, and I believe it supports brainpool in recent versions.
https://github.com/opendnssec/SoftHSMv2
It works really good)
Regards,
Tomas
On 2018-02-09 02:03, Valerie Peng wrote:
> Hi Tobias,
>
> Just curious, which PKCS11 l
= true
CKA_DECRYPT = true
CKA_SIGN = true
CKA_VERIFY = true
CKA_WRAP = true
CKA_UNWRAP = true
}
-
Cheers,
Tomas
On 2018-02-09 09:55, Tomas Gustavsson wrote:
>
> Hi,
>
> Thanks for the answer. (sorry I was out with the flu for a week)
>
>> I am not too k
approach is to just add an
> configuration option for disabling checking the supported key size range.
> Regards,
> Valerie
>
> On 2/9/2018 2:16 AM, Tomas Gustavsson wrote:
>> I just realized that a natural place to configure provider behavior is
>> in the provider constru
n
Mob: +46 (0)707421096
Internet: www.primekey.se
Twitter: twitter.com/primekeyPKI
**
On 2018-02-15 23:51, Valerie Peng wrote:
>
> Yes, please go ahead and file a bug for this.
> Thanks!
> Valerie
>
> On 2/13/2018 6:00 AM, Tomas Gustavsson wrote:
>> Thanks for t
Hi,
There is a long standing issue (since the beginning) with
keyPairGeneration in the Sun PKCS#11 provider, but I thought it's time
to vent it.
KeyPairGenerator.generateKeyPair() only generates a keyPair, and does
not set any alias or ID on the key. You can set an alias by using a sun
config f
44 matches
Mail list logo
