JDK-6414980 : ECC Updates
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,windows_2003
  • CPU: generic,x86
  • Submitted: 2006-04-19
  • Updated: 2010-04-02
  • Resolved: 2006-05-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6 b85Fixed
Related Reports
Duplicate :  
JDK-6416879 - keytool can only access keystores supported by -providerClass when it's specified
Relates :  
JDK-6405536 - Support for Elliptic Curve Cryptography (ECC) in SunPKCS11 and SunJSSE
Relates :  
JDK-6501143 - Support for ecdsa-with-Specified AlgorithmIdentifier
Description
A few updates/fixes to the ECC support added by 6405536 are needed:

 . add support for SHA256withECDSA (and 384/512) in addition to SHA1withECDSA

 . change the default key size/curve in keytool, EC KeyPairGenerator, and the SunJSSE ECDHE key exchange from NIST-P192 to NIST-P256. That is equivalent to 3072 bit RSA keys, so rather out of whack with our 1024 bit default for RSA, but NSA Suite B mandates P256 and it it also more widely implemented than P192.

 . the P11KeyStore does not really understand EC keys, so it is not possible to store them into a PKCS#11 token. This needs to be fixed, maybe along with some special code for some preexisting NSS specific problems.
Also:

 . the "Supported Elliptic Curves Extension" is encoded incorrectly. This causes problems if a JSSE client is talking to an ECC server that parses this extension. By accident, JSSE in server mode is ok.
Comments
EVALUATION Correct.
22-04-2006