JDK-8026976 : ECParameters, Point does not match field size
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6,6u45,8,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-09-20
  • Updated: 2020-12-17
  • Resolved: 2020-12-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 16
16 b28Fixed
Related Reports
Duplicate :  
JDK-8006625 - ECParameters, Point does not match field size
Relates :  
JDK-8154821 - Update issue number for sun/security/pkcs11/ec/TestKeyFactory.java in ProblemList
Relates :  
JDK-7099228 - Use a PKCS11 config attribute to control encoding of an EC point
Description
The test fails in non solaris platforms too.

[2013-09-14T09:39:09.39] + C:/Users/aurora/sandbox/jdk/bin/java -DNSS_LIB_DIR=C:/Users/aurora/sandbox/testbase/tools/lib/nss/WINNT -server -Djava.security.manager -Duser.timezone=PST -Djava.security.policy=C:/Users/aurora/sandbox/results/ResultDir/KeyFactory/./policy.txt TestKeyFactory ecprovider.cfg 
[2013-09-14T09:39:09.39] Exception in thread "main" java.security.spec.InvalidKeySpecException: Could not parse key
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:299)
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11KeyFactory.engineGetKeySpec(P11KeyFactory.java:94)
[2013-09-14T09:39:09.39] 	at java.security.KeyFactory.getKeySpec(KeyFactory.java:413)
[2013-09-14T09:39:09.39] 	at TestKeyFactory.testPublic(TestKeyFactory.java:57)
[2013-09-14T09:39:09.39] 	at TestKeyFactory.test(TestKeyFactory.java:91)
[2013-09-14T09:39:09.39] 	at TestKeyFactory.main(TestKeyFactory.java:126)
[2013-09-14T09:39:09.39] Caused by: java.io.IOException: Point does not match field size
[2013-09-14T09:39:09.39] 	at sun.security.util.ECUtil.decodePoint(ECUtil.java:54)
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:89)
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:296)
[2013-09-14T09:39:09.39] 	... 5 more


related issues :: INTJDK-7606293
Comments
Changeset: 55f5542c Author: Anthony Scarpino <ascarpino@openjdk.org> Date: 2020-12-03 18:05:53 +0000 URL: https://git.openjdk.java.net/jdk/commit/55f5542c
03-12-2020
I ran attached test, and it failed even if 'useEcX963Encoding = true' was specified in NSS configuration file: I found that useEcX963Encoding parameter was introduced in JDK-7099228. Now P11Key unwrap EC point if useEcX963Encoding is set to true before it calls P11ECKeyFactory.decodePoint() method: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/2b27e14a4c82 - try { + // Check whether the X9.63 encoding of an EC point is wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { DerValue wECPoint = new DerValue(ecKey); - if (wECPoint.getTag() != DerValue.tag_OctetString) - throw new IOException("Unexpected tag: " + - wECPoint.getTag()); + if (wECPoint.getTag() != DerValue.tag_OctetString) { + throw new IOException("Could not DER decode EC point." + + " Unexpected tag: " + wECPoint.getTag()); + } w = P11ECKeyFactory.decodePoint (wECPoint.getDataBytes(), params.getCurve()); - } catch (IOException e) { - // Failover + } else { w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); } But P11ECKeyFactory.implGetPublicKeySpec() method still expects only unwrapped EC point: http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/tip/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java ... <T extends KeySpec> T implGetPublicKeySpec(P11Key key, Class<T> keySpec, Session[] session) throws PKCS11Exception, InvalidKeySpecException { if (ECPublicKeySpec.class.isAssignableFrom(keySpec)) { session[0] = token.getObjSession(); CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_EC_POINT), new CK_ATTRIBUTE(CKA_EC_PARAMS), }; token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); try { ECParameterSpec params = decodeParameters(attributes[1].getByteArray()); ECPoint point = decodePoint(attributes[0].getByteArray(), params.getCurve()); ... As a result, the test fails with the following message: Exception in thread "main" java.security.spec.InvalidKeySpecException: Could not parse key at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:299) at sun.security.pkcs11.P11KeyFactory.engineGetKeySpec(P11KeyFactory.java:94) at java.security.KeyFactory.getKeySpec(KeyFactory.java:415) at TestKeyFactory.testPublic(TestKeyFactory.java:74) at TestKeyFactory.test(TestKeyFactory.java:108) at TestKeyFactory.main(TestKeyFactory.java:144) Caused by: java.io.IOException: Point does not match field size at sun.security.util.ECUtil.decodePoint(ECUtil.java:54) at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:89) at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:296) ... 5 more I added a check to P11ECKeyFactory.implGetPublicKeySpec() method like in P11ECKeyFactory.decodePoint(), and test passed. Please see webrev: http://cr.openjdk.java.net/~asmotrak/8026976/webrev.00/ It looks like a JDK issue, please take a look again. I searched for 'decodePoint' string and got the following; artem@localhost:~/ws/jdk/jdk9_dev/jdk/src/share/classes$ grep -r decodePoint . ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: private Method encodePoint, decodePoint, getCurveName, ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: decodePoint = c.getMethod("decodePoint", params); ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: ecPoint = (ECPoint)decodePoint.invoke(null, args); ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: ecPoint = sun.security.ec.ECParameters.decodePoint( ./sun/security/pkcs11/P11Key.java: w = P11ECKeyFactory.decodePoint ./sun/security/pkcs11/P11Key.java: w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); ./sun/security/pkcs11/P11ECKeyFactory.java: static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) throws IOException { ./sun/security/pkcs11/P11ECKeyFactory.java: return ECUtil.decodePoint(encoded, curve); ./sun/security/pkcs11/P11ECKeyFactory.java: point = decodePoint ./sun/security/pkcs11/P11ECKeyFactory.java: point = decodePoint(ecKey, params.getCurve()); ./sun/security/ec/ECKeyPairGenerator.java: ECPoint w = ECUtil.decodePoint(getEncodedBytes(handles[1]), ./sun/security/ec/ECPublicKeyImpl.java: w = ECUtil.decodePoint(key, params.getCurve()); ./sun/security/util/ECUtil.java: public static ECPoint decodePoint(byte[] data, EllipticCurve curve) ./sun/security/ssl/JsseJce.java: static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) ./sun/security/ssl/JsseJce.java: return ECUtil.decodePoint(encoded, curve); ./sun/security/ssl/HandshakeMessage.java: ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); ./sun/security/ssl/ECDHCrypt.java: ECPoint point = JsseJce.decodePoint(encodedPoint, params.getCurve()); If it is a JDK issue, these files should be checked.
23-04-2014
This is fixed by adding 'useEcX963Encoding = true' to the NSS configuration file used by the test. This is a test issue. Downgrading to P4.
17-10-2013
Tested with NSS library versions 3.13.1.0, 3.14.3.0 This test consistently fails on windows.
20-09-2013