JDK-8235710 : Remove the legacy elliptic curves
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-12-10
  • Updated: 2024-11-22
  • Resolved: 2020-09-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 16
16 b18Fixed
Related Reports
Blocks :  
JDK-8237218 - Support NIST Curves verification in java implementation
CSR :  
JDK-8251547 - Remove the legacy elliptic curves
Duplicate :  
JDK-8236006 - Remove the legacy elliptic curve implementations
Relates :  
JDK-8234924 - Deprecate the legacy elliptic curves for removal
Relates :  
JDK-8276863 - Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java
Relates :  
JDK-8233228 - Disable weak named curves by default in TLS, CertPath, and Signed JAR
Relates :  
JDK-8253637 - Update EC removal
Relates :  
JDK-8237219 - Disable native SunEC implementation by default
Sub Tasks
JDK-8240192 :  
Remove the legal ecc.md when sunec native libary is removed - Resolved
JDK-8252601 :  
Release Note: Removal of Legacy Elliptic Curves - Closed
JDK-8253551 :  
Update security guide for Remove the legacy elliptic curves - Resolved
Description
Remove the elliptic curves currently implemented in the native implementation of the SunEC provider and that were deprecated in JDK 14.
Comments
Changeset: 0b83fc01 Author: Anthony Scarpino <ascarpino@openjdk.org> Date: 2020-09-25 02:40:36 +0000 URL: https://git.openjdk.java.net/jdk/commit/0b83fc01
25-09-2020
We should also strongly consider moving jdk.crypto.ec into java.base as part of this work. TLS doesn’t really work w/o it as EC is needed for the most secure cipher suites. This is inconvenient, as anyone that builds a modular app using https needs to remember to add the jdk.crypto.ec module. Once the native EC implementations are removed, the static footprint of the SunEC provider should be much smaller, so the size increase of adding it to java.base should be much less of an issue. One compatibility issue will be build environments that explicitly specify jdk.crypto.ec to jlink. However, we can deprecate jdk.crypto.ec for removal and leave an "empty" module to reduce the compatibility risk. jlink may also need to be enhanced to print a deprecation warning for modules that are deprecated for removal.
01-07-2020