JDK-8236052 : More restrictive ECPrivateKey parsing
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2019-12-17
  • Updated: 2020-06-17
  • Resolved: 2020-06-17
Related Reports
Duplicate :  
JDK-8244565 - Accept PKCS #8 with version number 1
Relates :  
JDK-8234465 - Encoded elliptic curve private keys should include the public point
Description
ECPrivateKey ::= SEQUENCE {
   version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
   privateKey OCTET STRING,
   parameters [0] ECDomainParameters {{ SECGCurveNames }} OPTIONAL,
   publicKey [1] BIT STRING OPTIONAL
}

We now do not care about the order of [0] and [1], allow multiple copies of them, and allow extra data.