JDK-8026976 : ECParameters, Point does not match field size
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6,6u45,8,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-09-20
  • Updated: 2025-02-20
  • Resolved: 2020-12-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 16
16 b28Fixed
Related Reports
Duplicate :  
JDK-8006625 - ECParameters, Point does not match field size
Relates :  
JDK-7099228 - Use a PKCS11 config attribute to control encoding of an EC point
Relates :  
JDK-8154821 - Update issue number for sun/security/pkcs11/ec/TestKeyFactory.java in ProblemList
Description
The test fails in non solaris platforms too.

[2013-09-14T09:39:09.39] + C:/Users/aurora/sandbox/jdk/bin/java -DNSS_LIB_DIR=C:/Users/aurora/sandbox/testbase/tools/lib/nss/WINNT -server -Djava.security.manager -Duser.timezone=PST -Djava.security.policy=C:/Users/aurora/sandbox/results/ResultDir/KeyFactory/./policy.txt TestKeyFactory ecprovider.cfg 
[2013-09-14T09:39:09.39] Exception in thread "main" java.security.spec.InvalidKeySpecException: Could not parse key
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:299)
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11KeyFactory.engineGetKeySpec(P11KeyFactory.java:94)
[2013-09-14T09:39:09.39] 	at java.security.KeyFactory.getKeySpec(KeyFactory.java:413)
[2013-09-14T09:39:09.39] 	at TestKeyFactory.testPublic(TestKeyFactory.java:57)
[2013-09-14T09:39:09.39] 	at TestKeyFactory.test(TestKeyFactory.java:91)
[2013-09-14T09:39:09.39] 	at TestKeyFactory.main(TestKeyFactory.java:126)
[2013-09-14T09:39:09.39] Caused by: java.io.IOException: Point does not match field size
[2013-09-14T09:39:09.39] 	at sun.security.util.ECUtil.decodePoint(ECUtil.java:54)
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:89)
[2013-09-14T09:39:09.39] 	at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:296)
[2013-09-14T09:39:09.39] 	... 5 more


related issues :: INTJDK-7606293
Comments
[jdk11u-fix-request] Approval Request from Taizo Kurashige Clean backport. The risk is low because the fix to the source is only for P11ECKeyFactory.java and it is just addition of switching by UseEcX963Encoding. pkcs11 tests on RHEL9 and GHA tests pass.
21-10-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk11u-dev/pull/2958 Date: 2024-10-21 07:15:55 +0000
21-10-2024
Changeset: 55f5542c Author: Anthony Scarpino <ascarpino@openjdk.org> Date: 2020-12-03 18:05:53 +0000 URL: https://git.openjdk.java.net/jdk/commit/55f5542c
03-12-2020
I ran attached test, and it failed even if 'useEcX963Encoding = true' was specified in NSS configuration file: I found that useEcX963Encoding parameter was introduced in JDK-7099228. Now P11Key unwrap EC point if useEcX963Encoding is set to true before it calls P11ECKeyFactory.decodePoint() method: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/2b27e14a4c82 - try { + // Check whether the X9.63 encoding of an EC point is wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { DerValue wECPoint = new DerValue(ecKey); - if (wECPoint.getTag() != DerValue.tag_OctetString) - throw new IOException("Unexpected tag: " + - wECPoint.getTag()); + if (wECPoint.getTag() != DerValue.tag_OctetString) { + throw new IOException("Could not DER decode EC point." + + " Unexpected tag: " + wECPoint.getTag()); + } w = P11ECKeyFactory.decodePoint (wECPoint.getDataBytes(), params.getCurve()); - } catch (IOException e) { - // Failover + } else { w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); } But P11ECKeyFactory.implGetPublicKeySpec() method still expects only unwrapped EC point: http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/tip/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java ... <T extends KeySpec> T implGetPublicKeySpec(P11Key key, Class<T> keySpec, Session[] session) throws PKCS11Exception, InvalidKeySpecException { if (ECPublicKeySpec.class.isAssignableFrom(keySpec)) { session[0] = token.getObjSession(); CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_EC_POINT), new CK_ATTRIBUTE(CKA_EC_PARAMS), }; token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); try { ECParameterSpec params = decodeParameters(attributes[1].getByteArray()); ECPoint point = decodePoint(attributes[0].getByteArray(), params.getCurve()); ... As a result, the test fails with the following message: Exception in thread "main" java.security.spec.InvalidKeySpecException: Could not parse key at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:299) at sun.security.pkcs11.P11KeyFactory.engineGetKeySpec(P11KeyFactory.java:94) at java.security.KeyFactory.getKeySpec(KeyFactory.java:415) at TestKeyFactory.testPublic(TestKeyFactory.java:74) at TestKeyFactory.test(TestKeyFactory.java:108) at TestKeyFactory.main(TestKeyFactory.java:144) Caused by: java.io.IOException: Point does not match field size at sun.security.util.ECUtil.decodePoint(ECUtil.java:54) at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:89) at sun.security.pkcs11.P11ECKeyFactory.implGetPublicKeySpec(P11ECKeyFactory.java:296) ... 5 more I added a check to P11ECKeyFactory.implGetPublicKeySpec() method like in P11ECKeyFactory.decodePoint(), and test passed. Please see webrev: http://cr.openjdk.java.net/~asmotrak/8026976/webrev.00/ It looks like a JDK issue, please take a look again. I searched for 'decodePoint' string and got the following; artem@localhost:~/ws/jdk/jdk9_dev/jdk/src/share/classes$ grep -r decodePoint . ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: private Method encodePoint, decodePoint, getCurveName, ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: decodePoint = c.getMethod("decodePoint", params); ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: ecPoint = (ECPoint)decodePoint.invoke(null, args); ./org/jcp/xml/dsig/internal/dom/DOMKeyValue.java: ecPoint = sun.security.ec.ECParameters.decodePoint( ./sun/security/pkcs11/P11Key.java: w = P11ECKeyFactory.decodePoint ./sun/security/pkcs11/P11Key.java: w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); ./sun/security/pkcs11/P11ECKeyFactory.java: static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) throws IOException { ./sun/security/pkcs11/P11ECKeyFactory.java: return ECUtil.decodePoint(encoded, curve); ./sun/security/pkcs11/P11ECKeyFactory.java: point = decodePoint ./sun/security/pkcs11/P11ECKeyFactory.java: point = decodePoint(ecKey, params.getCurve()); ./sun/security/ec/ECKeyPairGenerator.java: ECPoint w = ECUtil.decodePoint(getEncodedBytes(handles[1]), ./sun/security/ec/ECPublicKeyImpl.java: w = ECUtil.decodePoint(key, params.getCurve()); ./sun/security/util/ECUtil.java: public static ECPoint decodePoint(byte[] data, EllipticCurve curve) ./sun/security/ssl/JsseJce.java: static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) ./sun/security/ssl/JsseJce.java: return ECUtil.decodePoint(encoded, curve); ./sun/security/ssl/HandshakeMessage.java: ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve()); ./sun/security/ssl/ECDHCrypt.java: ECPoint point = JsseJce.decodePoint(encodedPoint, params.getCurve()); If it is a JDK issue, these files should be checked.
23-04-2014
This is fixed by adding 'useEcX963Encoding = true' to the NSS configuration file used by the test. This is a test issue. Downgrading to P4.
17-10-2013
Tested with NSS library versions 3.13.1.0, 3.14.3.0 This test consistently fails on windows.
20-09-2013