search

rh-openjdk / CryptoTest

Complete example of java crypto API
MIT License
3 stars 9 forks source link

SignatureTests: ignore SunMSCAPI EC algorithms missing KeyPairGenerator #37

Closed zzambers closed 1 year ago

zzambers commented 1 year ago

Problem: SunMSCAPI provider does not have KeyPairGenerators for EC keys [1] (and does not accept keys generated by generators from other providers).

 java.lang.Exception: 141)  SunMSCAPI:  SHA224withECDSA~SHA224withECDSA  (Signature)
    at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:85)
    at cryptotest.utils.AlgorithmTest.doTest(AlgorithmTest.java:58)
    at cryptotest.CryptoTest.main(CryptoTest.java:128)
Caused by: cryptotest.utils.AlgorithmRunException: java.security.InvalidKeyException: Key type not supported: class sun.security.ec.ECPrivateKeyImpl EC
    at cryptotest.tests.SignatureTests.checkAlgorithm(SignatureTests.java:156)
    at cryptotest.utils.AlgorithmTest.mainLoop(AlgorithmTest.java:79)
    ... 2 more
Caused by: java.security.InvalidKeyException: Key type not supported: class sun.security.ec.ECPrivateKeyImpl EC
    at jdk.crypto.mscapi/sun.security.mscapi.CSignature$ECDSA.engineInitSign(CSignature.java:442)
    at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1370)
    at java.base/java.security.Signature.initSign(Signature.java:635)
    at cryptotest.tests.SignatureTests.checkAlgorithm(SignatureTests.java:134)
    ... 3 more

Fix: Ignore Signature algorithms, where we don't have generators.

[1] https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CKeyPairGenerator.java

judovana commented 1 year ago

weird. Do you know how to generate key pair for it?

zzambers commented 1 year ago

Well, I don't think it is currently possible to create compatible EC key from java. CSignature class from SunMSCAPI requires EC key to be instance of CPrivateKey. That in turn is some kind of handle to native key in MS API. There is no KeyPairGenerator for EC and SunMSCAPI does not implement KeyFactory to convert from java-side keys.

I think it could be possible to sign with EC keys present in Windows keystore, if put there by other means. I see no way create them from java.

judovana commented 1 year ago

fair enough., ty!