Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove support for sect571k1 as it is no longer supported by Java-17 #1620

Closed
Tracked by #1670
DarshitChanpura opened this issue Feb 16, 2022 · 7 comments · Fixed by #1711
Closed
Tracked by #1670

Remove support for sect571k1 as it is no longer supported by Java-17 #1620

DarshitChanpura opened this issue Feb 16, 2022 · 7 comments · Fixed by #1711
Labels
bug Something isn't working v2.0.0

Comments

@DarshitChanpura
Copy link
Member

DarshitChanpura commented Feb 16, 2022
edited
Loading

A known JDK bug JDK-8251547 is causing CI build to fail for Java-17 with the following error:

com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticatorTest > testES512 FAILED
    java.security.ProviderException: Curve not supported:  sect571k1 [NIST K-571] (1.3.132.0.38)
        at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:157)
        at java.base/java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:727)
        at com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticatorTest.testES512(HTTPJwtAuthenticatorTest.java:489)

Note: A temporary fix has been implement in #1609 to ignore the broken test.

This issue needs to be triaged to align with one of the two options:

  1. Remove elliptic curve sect571k1 support completely
  2. Add support for this curve when being built using JDK 17
@DarshitChanpura DarshitChanpura added the bug Something isn't working label Feb 16, 2022
@DarshitChanpura DarshitChanpura mentioned this issue Feb 16, 2022
Merged
1 task
@dblock dblock mentioned this issue Feb 18, 2022
Closed
15 tasks
@dblock
Copy link
Member

dblock commented Feb 18, 2022
edited
Loading

This seems to say that the build/test fails, but is the problem JDK17 support in the security plugin, or is it just a test that needs to be rewritten? It seems that sect571k1 is no longer supported on JDK17 and that has consequences to users. If that's true the issue should be renamed (e.g. "Re-add support to sect571k1 on JDK17" or "remove support for sect571k1"). Basically, what does this mean to users? What do we need to document? What will be broken for those who use JDK17?

@dblock dblock added the v1.3.0 label Feb 18, 2022
@DarshitChanpura DarshitChanpura changed the title Java 17 build fails due to a known JDK bug Remove support for sect571k1 as it is no longer supported by Java-17 Feb 18, 2022
@davidlago
Copy link

@DarshitChanpura could you please see if there are any alternative providers for this EC that we could add instead? I'm not 100% sure the reason for removal was security concerns but rather lack of use/outdated.

@DarshitChanpura DarshitChanpura mentioned this issue Mar 2, 2022
Closed
3 tasks
@peternied
Copy link
Member

After #1661 gets merged can we see if we can re-enable this test?

@cliu123 cliu123 added v2.0.0 and removed v1.3.0 labels Mar 7, 2022
@peternied peternied mentioned this issue Mar 17, 2022
Closed
3 tasks
@davidlago
Copy link

We will use the opportunity of the breaking change in 2.0 to drop support for this EC. If people still need this we can open an issue down the road and study options for alternative providers of these.

@DarshitChanpura
Copy link
Member Author

DarshitChanpura commented Mar 25, 2022
edited
Loading

After #1661 gets merged can we see if we can re-enable this test?

Even after #1661 's merge, the test still fail with the same issue, but since we are dropping the support for EC we can leave this issue as closed.

@peternied peternied reopened this Mar 25, 2022
@peternied
Copy link
Member

Going to make the code change to make sure this is resolved

@DarshitChanpura DarshitChanpura mentioned this issue Mar 25, 2022
Merged
2 tasks
@DarshitChanpura
Copy link
Member Author

Once the PR: #1771 is merged we can close: #1670

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes broken test due to unsupported EC using JDK-17 DarshitChanpura/security
5 participants
@dblock @peternied @davidlago @cliu123 @DarshitChanpura