On 12/6/2017 11:39 AM, Max Fichtelmann wrote:
We use a HSM to generate ECDSA Keys and are required to use the curve
brainpoolP256r1.
Although the HSM does not specifically support brainpool, it is
possible to generate these keys by providing the specific Curve
Parameters. These curve parameters are then saved in CKA_EC_PARAMS...
<snip>
When using SunPKCS11 to load the KeyPair, ECParams is used with the
value of CKA_EC_PARAMS which then fails.
So there are not many options I see - either patching JDK or getting
the HSM-Vendor to add support for brainpool...
I think this problem is pretty good motivation for enhancing this code
to support specified domain parameters. So if you are going to write
code to fix this, please consider submitting a patch.
There may be another way to fix this problem without patching the JDK.
You could develop (or locate) a JCA provider including an
AlgorithmParameters service for "EC" that has this desired
functionality. Install[1] this provider with a preference higher than
SunEC, and it will be used to decode the CKA_EC_PARAMS. But note that
this may also change other (unrelated) crypto behavior in your application.
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling
