Question about About ECDH_ECDSA implementation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about About ECDH_ECDSA implementation

Seung-bum Jin
--------------------------------------------------------------
       From: Seung-bum Jin <[hidden email]>
         To: [hidden email]
    Subject: Question about DTLS implementations

Hi All,

We are trying to use the BouncyCastle 1.63 java source to implement DTLS protcol on our JSSE provider. 


The source code of org.bouncycastle.jsse.provider.ProvTlsServer seems to be not processing ECDH_ECDSA case. Is the code intended implementation? Or features still not implemented? 


    protected boolean selectCredentials(int cipherSuite) throws IOException
    {
        this.credentials = null;

        int keyExchangeAlgorithm = TlsUtils.getKeyExchangeAlgorithm(cipherSuite);
        switch (keyExchangeAlgorithm)
        {
        case KeyExchangeAlgorithm.DH_anon:
        case KeyExchangeAlgorithm.ECDH_anon:
            return true;

        case KeyExchangeAlgorithm.DHE_DSS:
        case KeyExchangeAlgorithm.DHE_RSA:
        case KeyExchangeAlgorithm.ECDHE_ECDSA:
        case KeyExchangeAlgorithm.ECDHE_RSA:
        case KeyExchangeAlgorithm.RSA:
            break;

        default:
            return false;
        }
...


Seung-Bum Jin.

 

Driector, Research & Development Dept.

Peoplecar,

Replublic Of Korea.

--------------------------------------------------------------  

    ....
Reply | Threaded
Open this post in threaded view
|

Re: Question about About ECDH_ECDSA implementation

Peter Dettman-3
Hi Seung-bum,
Although our underlying TLS implementation (org.bouncycastle.tls)
technically still has support for static ECDH (and DH), it is strongly
deprecated by TLS standards.

In the BCJSSE provider we decided not to support any cipher suites that
use static key agreement (DH_DSS, DH_RSA, ECDH_ECDSA, ECDH_RSA), and
therefore we do not need to handle the case of ECDH_ECDSA when selecting
server credentials.

Regards,
Pete Dettman


On 15/11/19 9:54 pm, Seung-bum Jin wrote:

> --------------------------------------------------------------
>        From: Seung-bum Jin <[hidden email] <mailto:[hidden email]>>
>          To: [hidden email]
> <mailto:[hidden email]>
>     Subject: Question about DTLS implementations
>
> Hi All,
>
> We are trying to use the BouncyCastle 1.63 java source to implement DTLS
> protcol on our JSSE provider. 
>
>
> The source code of org.bouncycastle.jsse.provider.ProvTlsServer seems to
> be not processing ECDH_ECDSA case. Is the code intended implementation?
> Or features still not implemented? 
>
>
>     protected boolean selectCredentials(int cipherSuite) throws IOException
>     {
>         this.credentials = null;
>
>         int keyExchangeAlgorithm =
> TlsUtils.getKeyExchangeAlgorithm(cipherSuite);
>         switch (keyExchangeAlgorithm)
>         {
>         case KeyExchangeAlgorithm.DH_anon:
>         case KeyExchangeAlgorithm.ECDH_anon:
>             return true;
>
>         case KeyExchangeAlgorithm.DHE_DSS:
>         case KeyExchangeAlgorithm.DHE_RSA:
>         case KeyExchangeAlgorithm.ECDHE_ECDSA:
>         case KeyExchangeAlgorithm.ECDHE_RSA:
>         case KeyExchangeAlgorithm.RSA:
>             break;
>
>         default:
>             return false;
>         }
> ...
>
>
> Seung-Bum Jin.
>
>  
>
> Driector, Research & Development Dept.
>
> Peoplecar,
>
> Replublic Of Korea.
>
> --------------------------------------------------------------  
>
>     ....