Christopher Meyer

About Christopher Meyer

Chris works as a researcher and is eagerly looking for bugs in SSL/TLS, the Java platform and various applications. In addition, he is primarily interested in secure coding and exploiting coding mistakes.

How to use ECC with OpenJDK

Everyone who ever tried to use Elliptic Curve Cryptography (ECC) in Java with an OpenJDK was either forced to use Bouncy Castle or fumble with the SunEC provider. The SunEC provider offers the following algorithms according to the documentation (quote):

AlgorithmParametersEC
KeyAgreementECDH
KeyFactoryEC
KeyPairGeneratorEC
SignatureNONEwithECDSA
SHA1withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA

Unfortunately, this provider is not shipped with OpenJDK. But anyone who really would like to try the Java builtin ECC functionility would possibly try to simply add the sunec.jar (which contains the provider) to the jre/lib/ext/ folder. But, when trying to use the provider these guys will definitely rub their eyes in amazement. Things are different than they seem at first…

Let’s assume we added the library to the correct folder, our OpenJDK notices it and we could successfully compile the following code without any exceptions:

package eccprovidertest;

import java.security.Provider;
import java.security.Provider.Service;
import java.security.Security;
import sun.security.ec.SunEC;

/**
 * ECC Provider Test.
 * @author  Christopher Meyer - christopher.meyer@rub.de
 * @version 0.1

 * Oct 23, 2013
 */
public class ECCProviderTest {

    /**
     * @param args the command line arguments
     */
    public static void main(final String[] args) {
        Provider sunEC = new SunEC();
        Security.addProvider(sunEC);
        for(Service service : sunEC.getServices()) {
            System.out.println(service.getType() + ": " 
                    + service.getAlgorithm());
        }
    }

}

If we finally run it with an OpenJDK (java version “1.7.0_25″) we get the following output:

KeyFactory: EC
AlgorithmParameters: EC

Wow! This is not a very useful provider….. Where are the promised algorithms? Let’s try to run the code, just for fun, with the Oracle JDK:

KeyFactory: EC
AlgorithmParameters: EC
Signature: NONEwithECDSA
Signature: SHA1withECDSA
Signature: SHA256withECDSA
Signature: SHA384withECDSA
Signature: SHA512withECDSA
KeyPairGenerator: EC
KeyAgreement: ECDH

Surprise, surprise! That’s the moment when you start rubbing your eyes! Here are the algorithms, but why are they only available when using the Oracle JDK?

The reason for this is hidden in the provider’s code. The following lines are taken from sun.security.ec.SunEC:

private static final long serialVersionUID = -2279741672933606418L;

// flag indicating whether the full EC implementation is present
// (when native library is absent then fewer EC algorithms are available)
private static boolean useFullImplementation = true;
static {
    try {
        AccessController.doPrivileged(new PrivilegedAction() {
            public Void run() {
               System.loadLibrary("sunec"); // check for native library
               return null;
            }
        });
    } catch (UnsatisfiedLinkError e) {
        useFullImplementation = false;
    }
}

public SunEC() {
    super("SunEC", 1.7d, "Sun Elliptic Curve provider (EC, ECDSA, ECDH)");

    // if there is no security manager installed, put directly into
    // the provider. Otherwise, create a temporary map and use a
    // doPrivileged() call at the end to transfer the contents
    if (System.getSecurityManager() == null) {
        SunECEntries.putEntries(this, useFullImplementation);
    } else {
        Map<Object, Object> map = new HashMap<Object, Object>();
        SunECEntries.putEntries(map, useFullImplementation);
        AccessController.doPrivileged(new PutAllAction(this, map));
    }
}

Additionally, the following can be found in SunECEntries class, after some entries have been added to the list:

/*
 * Register the algorithms below only when the full ECC implementation
 * is available
 */
if (!useFullImplementation) {
    return;
}

Ok, this explains the behaviour. The algorithms are only present if a native library could be successfully loaded (either libsunec.so or sunec.dll on Windows machines). This library is obviously missing in our case (since we only copied the sunec.jar file).

Unfortunately, if we had read the provider documentation we would know about that:

“[...] The Java classes are packaged into the signed sunec.jar in the JRE extensions directory and the C++ and C functions are packaged into libsunec.so or sunec.dll in the JRE native libraries directory. If the native library is not present then this provider is registered with support for fewer ECC algorithms (KeyPairGenerator, Signature and KeyAgreement are omitted).”

Unfortunately, it was our own, hasty zest for action which has cost us valuable time of our developer-life. Take away: Reading JavaDocs is sometimes really helpful….(, but not as educative as the painstaking debugging).
 

Reference: How to use ECC with OpenJDK from our JCG partner Christopher Meyer at the Java security and related topics blog.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

Leave a Reply


9 × nine =



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close