Hello,
I've stumbled on a problem with the ECC and I would like to know if anybody did so too and what can be done.
In our application we need to check X509 certificates. Therefor we parse them with the java.security.cert.CertificateFactory like this:
public X509Certificate parseCertificate(byte[] encodedCertificate) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X509");
ByteArrayInputStream bais = new ByteArrayInputStream(encodedCertificate);
X509Certificate x509 = (X509Certificate)cf.generateCertificate(bais);
return x509;
} catch (CertificateException e) {
log.log(Level.SEVERE, "Could not parse X509 certificate", e);
}
return null;
}
This worked for years without any problems. Now customers have new cards by TeleSec with ECC support. Authentication and Encryption certificate are no problems but non-repudiation certificate throws error:
Caused by: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7
at sun.security.ec.ECParameters.decodeParameters(ECParameters.java:197)
at sun.security.ec.ECParameters.engineInit(ECParameters.java:319)
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:139)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
at sun.security.x509.X509Key.parse(X509Key.java:168)
at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
... 30 more
A google-search did bring up that the Elliptic curve brainpoolP256r1 (which is the curve mentioned in the exception) seems not to be supported by the oracle JDK.
Is there a workaround? I thought of bouncycastle. But I would prefer to use only the JDK JCE.
Thanks!
Stephan