[PATCH]: Support for brainpool curves from CurveDB in SunEC

Tobias Wagner tobias.wagner at n-design.de
Mon Mar 5 18:39:20 UTC 2018

Hi Valerie and Tomas,

thanks for the hint about SoftHSM. I just found the time to test it. I was 
able to run TestECDH using it with a SoftHSM2 based SunPKCS11 provider.

I did not hear anything about my last response - so I hope, this it might be 
helpful. I wonder if there is anything left to do for me or whether the 
proposed patch is acceptable as it is right now.

There is a patch attached to show the test setup - but this is nothing to be 
used in production. There is also the jtreg output for TestECDH with SoftHSM2

To run this, I had to do some things before
* Build SoftHSM2 myself. I've used this version: 
https://github.com/opendnssec/SoftHSMv2/releases/tag/2.4.0 . The versions 
available via
   package managers did not work for me
* Generate a new token 'softhsm2-util --init-token --slot 0 --label "Token 0"' 
with PIN '123456' for the Token an the SO as well

NOTE: The PIN is hard coded into the example patch.

This worked on Linux and MacOS.


Am 09.02.2018 um 10:22 schrieb Tomas Gustavsson:
> Just FYI. SoftHSM2 from the OpenDNSSec project is a good P11 to test
> with, and I believe it supports brainpool in recent versions.
> https://github.com/opendnssec/SoftHSMv2
> It works really good)
> Regards,
> Tomas
> On 2018-02-09 02:03, Valerie Peng wrote:
>> Hi Tobias,
>> Just curious, which PKCS11 library did you use to test your patch? After
>> I applied your patch and ran the regression tests, I noticed that both
>> the Solaris PKCS11 library and NSS skipped testing Brainpool curves with
>> different error codes which may be due to lack of support...
>> Regards,
>> Valerie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TestECDH.jtr
Type: application/octet-stream
Size: 14883 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20180305/2ca0b698/TestECDH-0001.jtr>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openjdk_jdk_49130.patch
Type: application/octet-stream
Size: 3401 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20180305/2ca0b698/openjdk_jdk_49130-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5574 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20180305/2ca0b698/smime-0001.p7s>

More information about the security-dev mailing list