Details
-
Bug
-
Resolution: Fixed
-
P2
-
6
-
b85
-
generic, x86
-
generic, windows_2003
Description
A few updates/fixes to the ECC support added by 6405536 are needed:
. add support for SHA256withECDSA (and 384/512) in addition to SHA1withECDSA
. change the default key size/curve in keytool, EC KeyPairGenerator, and the SunJSSE ECDHE key exchange from NIST-P192 to NIST-P256. That is equivalent to 3072 bit RSA keys, so rather out of whack with our 1024 bit default for RSA, but NSA Suite B mandates P256 and it it also more widely implemented than P192.
. the P11KeyStore does not really understand EC keys, so it is not possible to store them into a PKCS#11 token. This needs to be fixed, maybe along with some special code for some preexisting NSS specific problems.
Also:
. the "Supported Elliptic Curves Extension" is encoded incorrectly. This causes problems if a JSSE client is talking to an ECC server that parses this extension. By accident, JSSE in server mode is ok.
. add support for SHA256withECDSA (and 384/512) in addition to SHA1withECDSA
. change the default key size/curve in keytool, EC KeyPairGenerator, and the SunJSSE ECDHE key exchange from NIST-P192 to NIST-P256. That is equivalent to 3072 bit RSA keys, so rather out of whack with our 1024 bit default for RSA, but NSA Suite B mandates P256 and it it also more widely implemented than P192.
. the P11KeyStore does not really understand EC keys, so it is not possible to store them into a PKCS#11 token. This needs to be fixed, maybe along with some special code for some preexisting NSS specific problems.
Also:
. the "Supported Elliptic Curves Extension" is encoded incorrectly. This causes problems if a JSSE client is talking to an ECC server that parses this extension. By accident, JSSE in server mode is ok.
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- relates to
-
JDK-6501143 Support for ecdsa-with-Specified AlgorithmIdentifier
-
- Closed
-
-
-
- Resolved
-