CVCA with ECDSA Key with brainpool256r1 spec

[Fabio Mangiarulo]

Hello ,
we have a problem with the creation of a CA associated with keys of type ECDSA with spec . Brainpool256r1 .

Summarize the configuration of our environment :

S.O : Win 2008
EJBCA 3.10.6
jboss 4.3
jdk1.6

We have created our Brainpoll256r1 ECDSA keys on a HSM Lunasa .
Successivamenta we created our CVCA in this way :

Type of CA: CVC
CA Token Type PKCS # 11
Hard CA Token Properties:
slot 1
defaultKey DVECDSADEU01
SharedLibrary C: \ \ ejbca_3_8_2 \ \ lib \ \ cryptoki.dll
pin xxxxxxxxxxx

Signing Algorithm : SHA1WithECDSA
Key sequence : 00001
Subject DN : CN = XXX , C = KK
Signed By : selfsigned
Certificate Profile : RootCA
Validity (Days ) : 365

After you have entered all the parameters and press the Create button we get the following Error: CA token authorization failed .

In jboss log we see the following error:
18/04/2014 13:10:40,408 ERROR [ org.ejbca.core.model.ca.catoken.PKCS11CAToken ] Failed to initialize PKCS11 provider slot '1 '.
java.security.KeyStoreException : KeyStore instantiation failed
...
...
...
Caused by: java.security.cert.CertificateParsingException : java.io.IOException : Unknown named curve : 1.3.36.3.3.2.8.1.1.7

Why , could someone help us?

[Tomas Gustavsson]

Java PKCS#11 does not support Brainpool curves. You can find our documentation about it here.
http://ejbca.org/docs/adminguide.html#ECDSA%20keys%20and%20signatures

PrimeKey has a java PKCS#11 patch that is available for Enterprise Support Customers (it has also been submitted to Oracle for inclusion in Java).

Cheers,
Tomas

---

Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
http://www.primekey.se/Products/EJBCA+PKI/
http://www.primekey.se/Services/Support/

[Fabio Mangiarulo]

Hi Tomas,
We've read your link; but we didn't resolved our problem.

The problem is in decodeParameters method in ECParameter class:

1. public static ECParameterSpec decodeParameters(byte[] params) throws IOException {
2. DerValue encodedParams = new DerValue(params);
3. if (encodedParams.tag == DerValue.tag_ObjectId) {
4. ObjectIdentifier oid = encodedParams.getOID();
5. ECParameterSpec spec = NamedCurve.getECParameterSpec(oid);
6. if (spec == null) {
7. throw new IOException("Unknown named curve: " + oid);
8. }
9. return spec;

10. }

11. throw new IOException("Only named ECParameters supported");

We have the following exception "java.io.IOException : Unknown named curve : 1.3.36.3.3.2.8.1.1.7" (row 7) because the getECParameters method of the NamedCurve class doesn't know the value 1.3.36.3.3.2.8.1.1.7 of the oid.
So we resolved this adding the following oid values in the NamedCurve class:

---

        /* Brainpool curves (RFC 5639) */
    add("brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1", P,
        "E95E4A5F737059DC60DFC7AD95B3D8139515620F",
        "340E7BE2A280EB74E2BE61BADA745D97E8F7C300",
        "1E589A8595423412134FAA2DBDEC95C8D8675E58",
        "BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3",
        "1667CB477A1A8EC338F94741669C976316DA6321",
        "E95E4A5F737059DC60DF5991D45029409E60FC09",
        1);

    add("brainpoolP160t1", "1.3.36.3.3.2.8.1.1.2", P,
        "E95E4A5F737059DC60DFC7AD95B3D8139515620F",
        "E95E4A5F737059DC60DFC7AD95B3D8139515620C",
        "7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380",
        "B199B13B9B34EFC1397E64BAEB05ACC265FF2378",
        "ADD6718B7C7C1961F0991B842443772152C9E0AD",
        "E95E4A5F737059DC60DF5991D45029409E60FC09",
        1);

    add("brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3", P,
        "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297",
        "6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF",
        "469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9",
        "C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6",
        "14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F",
        "C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1",
        1);

    add("brainpoolP192t1", "1.3.36.3.3.2.8.1.1.4", P,
        "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297",
        "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294",
        "13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79",
        "3AE9E58C82F63C30282E1FE7BBF43FA72C446AF6F4618129",
        "097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCC01C9",
        "C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1",
        1);

    add("brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5", P,
        "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF",
        "68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43",
        "2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B",
        "0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D",
        "58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD",
        "D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F",
        1);

    add("brainpoolP224t1", "1.3.36.3.3.2.8.1.1.6", P,
        "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF",
        "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC",
        "4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D",
        "6AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D580",
        "0374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C",
        "D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F",
        1);

    add("brainpoolP256r1", "1.3.36.3.3.2.8.1.1.7", P,
        "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
        "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9",
        "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6",
        "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262",
        "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997",
        "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
        1);

    add("brainpoolP256t1", "1.3.36.3.3.2.8.1.1.8", P,
        "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
        "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374",
        "662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04",
        "A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4",
        "2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE",
        "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
        1);

    add("brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9", P,
        "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27",
        "3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4",
        "520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6",
        "43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611",
        "14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1",
        "D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311",
        1);

    add("brainpoolP320t1", "1.3.36.3.3.2.8.1.1.10", P,
        "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27",
        "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E24",
        "A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547CEB5B4FEF422340353",
        "925BE9FB01AFC6FB4D3E7D4990010F813408AB106C4F09CB7EE07868CC136FFF3357F624A21BED52",
        "63BA3A7A27483EBF6671DBEF7ABB30EBEE084E58A0B077AD42A5A0989D1EE71B1B9BC0455FB0D2C3",
        "D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311",
        1);

    add("brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11", P,
        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
        "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826",
        "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11",
        "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E",
        "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315",
        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
        1);

    add("brainpoolP384t1", "1.3.36.3.3.2.8.1.1.12", P,
        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC50",
        "7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE",
        "18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946A5F54D8D0AA2F418808CC",
        "25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC2B2912675BF5B9E582928",
        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
        1);

    add("brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13", P,
        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
        "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA",
        "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723",
        "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822",
        "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892",
        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
        1);

    add("brainpoolP512t1", "1.3.36.3.3.2.8.1.1.14", P,
        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0",
        "7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E",
        "640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA",
        "5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332",
        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
        1);

---

In this way all work perfectly.

Thank's a lot and best regards.

[TalimGideon]

Hi,

how did you extend NamedCurve class. Did you recompile while jre?
can u give me a hint?

thx

OK I got it Thank you - just recompiled NamedCurve.java and replaced it in jre/lib/rt.jar

[Opa114]

Hi,

could you please provide the recompiled NamedCurve.java? I have the same problem and i need support for EC Curves in Java. or isthere an other way to support it in my applicaton without modify the source?

[Tomas Gustavsson]

Hi,

PrimeKey has made patches for JDK (also submitted to OpenJDK of course), but only provide it to support customers.

Regards,
Tomas

---

Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/