Hello, Coming back to the message of Tobias, it looks* like even in 14 the Brainpool curves have not landed for JSSE, are there any plans for adding this? can you maybe share your incomplete patch, Tobias?
* i don’t see them in ssl/NamesGroups: http://hg.openjdk.java.net/jdk/jdk/file/tip/src/java.base/share/classes/sun/security/ssl/NamedGroup.java Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <security-dev-boun...@openjdk.java.net> im Auftrag von Tobias Wagner <tobias.wag...@n-design.de> Gesendet: Mittwoch, Juni 27, 2018 7:49 PM An: security-dev@openjdk.java.net Betreff: AW: RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)" Hi Valerie and Bernd, Valerie is right, I tested my JTREG Tests against SoftHSM2 in March: http://mail.openjdk.java.net/pipermail/security-dev/2018-March/016863.html I don't think there are more PKCS#11 related issues, as SunEC is not a PKCS#11 implementation. There are only shared tests. The JTREG known answer tests use the X9.62 key format as they are used in certificates as well. I assume, brainpool public keys would work in certificates as well. I actually implemented the support for brainpool curves in TLS as well, but I had no time to provide proper JTREG tests for that, and therefore no patch yet. Regards, Tobias -- phone: +49 221 222896 17 fax: +49 221 222896 11 keybase: https://keybase.io/toebix n - d e s i g n G m b H https://n-design.de Alpenerstr. 16 50825 Köln Deutschland / Germany Amtsgericht Köln HRB 33766 B Geschäftsführer Andy Kohl > -----Ursprüngliche Nachricht----- > Von: security-dev <security-dev-boun...@openjdk.java.net> Im Auftrag von > Valerie Peng > Gesendet: Donnerstag, 21. Juni 2018 01:07 > An: security-dev@openjdk.java.net > Betreff: Re: RFR [11] CSR for "Add Brainpool ECC support (RFC 5639)" > > Are you asking about CSR or existing bug for including Brainpool support > in TLS? > > I saw some bugs which mentions errors/exceptions which brainpool is > used, e.g. JSSE has https://bugs.openjdk.java.net/browse/JDK-7189107, > key tool has https://bugs.openjdk.java.net/browse/JDK-8201290. After > this brainpool support is integrated, it'll be easier to re-evaluate > these. > > > As for PKCS11, Tobias tested this against a 3rd party PKCS11 library and > the result is positive if I recall correctly. > > > Thanks, > Valerie > > > On 6/18/2018 1:26 PM, Bernd Eckenfels wrote: > > > Hello, > > > > not a Reviewer, but some Questions on the CSR: > > > > * Are there other CSRs for including in TLS? > * I also wonder if PKI (CA Signatures) will work out of the box > then (OID aliases?) > * Does PKCS11 require additional changes? (especially for the > Government use mentioned in the justification HSMs are often mandatory) > > > > Gruss > > Bernd > > -- > http://bernd.eckenfels.net > > >
