Java ECC Brainpool support for certificates?

Question

Latest Version of Java did not support ECC Brainpool curves. When I read a X509Certificate containing a EC Curve Brainpool, I get an exception.

I found out that Java does not support certificates with Brainpool curves. Is there a way to add this support by myself?

Answer 1

Bouncy Castle has support for these curves. The trick is that Java still has to know about them to find them. So you cannot just add the Bouncy Castle provider and be done with it. You need to use the CertificateFactory of Bouncy Castle explicitly.

If you just use the Java CertificateFactory you will be greeted with the following exception (which you are now probably familiar with):

Exception in thread "main" java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7

So use the following code snippet / solution instead:

Security.addProvider(new BouncyCastleProvider());
// explicit BC factory required, knows about curve!
CertificateFactory fact = CertificateFactory.getInstance("X509", BouncyCastleProvider.PROVIDER_NAME); 
PemReader reader = new PemReader(new FileReader("ecc_certificate.txt"));
PemObject readPemObject = reader.readPemObject();
final byte[] cert = readPemObject.getContent();
Certificate generatedCertificate = fact.generateCertificate(new ByteArrayInputStream(cert));
System.out.println(generatedCertificate);

To get the name of the named curve you however need to go to Bouncy Castle specific code (i.e. using the Bouncy classes directly instead of using them through the JCA):

ECPublicKey publicKey = (ECPublicKey) generatedCertificate.getPublicKey();
// Bouncy Castle specific class
ECNamedCurveSpec params = (ECNamedCurveSpec) publicKey.getParams();
System.out.println(params.getName());

Almost forgot: you need both the Bouncy Castle provider and the PKIX jar file in your classpath to do this.

Downloading the unlimited crypto files for Java never hurts either, although it probably is not directly needed for this functionality (better safe than sorry though). For newer Java versions this may not be required anymore.

Answer 2

EC Curve Brainpool has been disabled in Java 15 (issue) and removed after Java 15. The solution is to add a third-party library like bcprov-jdk15on. Then you just need to indicate the provider. Example:

Security.addProvider(new BouncyCastleProvider()); // load third-party lib
Signature SHA256 = Signature.getInstance("SHA256withECDSA", "BC"); // use BC provider

With these 2 lines you get rid of the "Legacy SunEC curve disabled" on Java 15 and "Curve not supported" exception in Java >15. More info here. And details on how to use Java Bouncy Castle in baeldung.com.