/hg/icedtea8-forest/jdk: 2 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Mon Sep 14 03:05:58 UTC 2020
changeset 0f47395eac5d in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=0f47395eac5d
author: Andrew John Hughes <gnu_andrew at member.fsf.org>
date: Sun Sep 13 17:40:57 2020 +0100
8080462, PR3801: Update SunPKCS11 provider with PKCS11 v2.40 support
8169925: PKCS #11 Cryptographic Token Interface license
8238898: Missing hash characters for header on license file
Summary: Added support for GCM, PSS, and other mechanisms
Reviewed-by: jnimeh, phh, andrew
changeset ccc017f54531 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=ccc017f54531
author: Andrew John Hughes <gnu_andrew at member.fsf.org>
date: Mon Sep 14 00:48:39 2020 +0100
8236512, PR3801: PKCS11 Connection closed after Cipher.doFinal and NoPadding
Summary: Removed killSession() calls in certain impl classes when cancelling operations
diffstat:
THIRD_PARTY_README | 38 +
make/mapfiles/libj2pkcs11/mapfile-vers | 1 +
src/share/classes/sun/security/pkcs11/P11AEADCipher.java | 754 +++
src/share/classes/sun/security/pkcs11/P11Cipher.java | 31 +-
src/share/classes/sun/security/pkcs11/P11Mac.java | 20 +-
src/share/classes/sun/security/pkcs11/P11PSSSignature.java | 697 +++
src/share/classes/sun/security/pkcs11/P11RSACipher.java | 64 +-
src/share/classes/sun/security/pkcs11/P11Signature.java | 159 +-
src/share/classes/sun/security/pkcs11/SunPKCS11.java | 84 +-
src/share/classes/sun/security/pkcs11/wrapper/CK_CCM_PARAMS.java | 83 +
src/share/classes/sun/security/pkcs11/wrapper/CK_GCM_PARAMS.java | 75 +
src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java | 59 +-
src/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java | 144 +-
src/share/classes/sun/security/pkcs11/wrapper/Functions.java | 289 +-
src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java | 118 +-
src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java | 794 ++-
src/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java | 16 +
src/share/classes/sun/security/util/GCMParameters.java | 153 +
src/share/native/sun/security/pkcs11/wrapper/p11_convert.c | 1286 ++---
src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c | 162 +-
src/share/native/sun/security/pkcs11/wrapper/p11_digest.c | 53 +-
src/share/native/sun/security/pkcs11/wrapper/p11_general.c | 26 +-
src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c | 223 +-
src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c | 4 +-
src/share/native/sun/security/pkcs11/wrapper/p11_sign.c | 225 +-
src/share/native/sun/security/pkcs11/wrapper/p11_util.c | 151 +-
src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h | 124 -
src/share/native/sun/security/pkcs11/wrapper/pkcs11.h | 82 +-
src/share/native/sun/security/pkcs11/wrapper/pkcs11f.h | 215 +-
src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h | 1992 +++++----
src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h | 73 +-
test/sun/security/pkcs11/Cipher/Test4512704.java | 76 +
test/sun/security/pkcs11/Cipher/TestCICOWithGCM.java | 109 +
test/sun/security/pkcs11/Cipher/TestCICOWithGCMAndAAD.java | 122 +
test/sun/security/pkcs11/Cipher/TestGCMKeyAndIvCheck.java | 197 +
test/sun/security/pkcs11/Cipher/TestKATForGCM.java | 322 +
test/sun/security/pkcs11/MessageDigest/ByteBuffers.java | 55 +-
test/sun/security/pkcs11/Signature/InitAgainPSS.java | 87 +
test/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java | 132 +
test/sun/security/pkcs11/Signature/SigInteropPSS.java | 121 +
test/sun/security/pkcs11/Signature/SignatureTestPSS.java | 147 +
test/sun/security/pkcs11/Signature/TestDSA2.java | 93 +
42 files changed, 6670 insertions(+), 2986 deletions(-)
diffs (truncated from 13697 to 500 lines):
diff -r 3f4329f3a19c -r ccc017f54531 THIRD_PARTY_README
--- a/THIRD_PARTY_README Fri Sep 04 17:46:08 2020 +0100
+++ b/THIRD_PARTY_README Mon Sep 14 00:48:39 2020 +0100
@@ -3243,3 +3243,41 @@
-------------------------------------------------------------------------------
+%% This notice is provided with respect to OASIS PKCS #11 Cryptographic Token
+Interface v2.40, which may be included with JRE 8, JDK 8, and OpenJDK 8.
+
+--- begin of LICENSE ---
+
+Copyright (c) OASIS Open 2016. All Rights Reserved.
+
+All capitalized terms in the following text have the meanings assigned to them
+in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The
+full Policy may be found at the OASIS website:
+[http://www.oasis-open.org/policies-guidelines/ipr]
+
+This document and translations of it may be copied and furnished to others, and
+derivative works that comment on or otherwise explain it or assist in its
+implementation may be prepared, copied, published, and distributed, in whole or
+in part, without restriction of any kind, provided that the above copyright
+notice and this section are included on all such copies and derivative works.
+However, this document itself may not be modified in any way, including by
+removing the copyright notice or references to OASIS, except as needed for the
+purpose of developing any document or deliverable produced by an OASIS
+Technical Committee (in which case the rules applicable to copyrights, as set
+forth in the OASIS IPR Policy, must be followed) or as required to translate it
+into languages other than English.
+
+The limited permissions granted above are perpetual and will not be revoked by
+OASIS or its successors or assigns.
+
+This document and the information contained herein is provided on an "AS IS"
+basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
+INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
+FITNESS FOR A PARTICULAR PURPOSE. OASIS AND ITS MEMBERS WILL NOT BE LIABLE FOR
+ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE
+OF THIS DOCUMENT OR ANY PART THEREOF.
+
+--- end of LICENSE ---
+
+-------------------------------------------------------------------------------
diff -r 3f4329f3a19c -r ccc017f54531 make/mapfiles/libj2pkcs11/mapfile-vers
--- a/make/mapfiles/libj2pkcs11/mapfile-vers Fri Sep 04 17:46:08 2020 +0100
+++ b/make/mapfiles/libj2pkcs11/mapfile-vers Mon Sep 14 00:48:39 2020 +0100
@@ -28,6 +28,7 @@
SUNWprivate_1.1 {
global:
JNI_OnLoad;
+ Java_sun_security_pkcs11_wrapper_PKCS11_freeMechanism;
Java_sun_security_pkcs11_wrapper_PKCS11_initializeLibrary;
Java_sun_security_pkcs11_wrapper_PKCS11_finalizeLibrary;
Java_sun_security_pkcs11_wrapper_PKCS11_connect;
diff -r 3f4329f3a19c -r ccc017f54531 src/share/classes/sun/security/pkcs11/P11AEADCipher.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/pkcs11/P11AEADCipher.java Mon Sep 14 00:48:39 2020 +0100
@@ -0,0 +1,754 @@
+/*
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.pkcs11;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.ByteBuffer;
+import java.util.Arrays;
+import java.util.Locale;
+
+import java.security.*;
+import java.security.spec.*;
+
+import javax.crypto.*;
+import javax.crypto.spec.*;
+
+import sun.nio.ch.DirectBuffer;
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.wrapper.*;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+/**
+ * P11 AEAD Cipher implementation class. This class currently supports
+ * AES with GCM mode.
+ *
+ * Note that AEAD modes do not use padding, so this class does not have
+ * its own padding impl. In addition, NSS CKM_AES_GCM only supports single-part
+ * encryption/decryption, thus the current impl uses PKCS#11 C_Encrypt/C_Decrypt
+ * calls and buffers data until doFinal is called.
+ *
+ * Note that PKCS#11 standard currently only supports GCM and CCM AEAD modes.
+ * There are no provisions for other AEAD modes yet.
+ *
+ * @since 13
+ */
+final class P11AEADCipher extends CipherSpi {
+
+ // mode constant for GCM mode
+ private static final int MODE_GCM = 10;
+
+ // default constants for GCM
+ private static final int GCM_DEFAULT_TAG_LEN = 16;
+ private static final int GCM_DEFAULT_IV_LEN = 16;
+
+ private static final String ALGO = "AES";
+
+ // token instance
+ private final Token token;
+
+ // mechanism id
+ private final long mechanism;
+
+ // mode, one of MODE_* above
+ private final int blockMode;
+
+ // acceptable key size, -1 if more than 1 key sizes are accepted
+ private final int fixedKeySize;
+
+ // associated session, if any
+ private Session session = null;
+
+ // key, if init() was called
+ private P11Key p11Key = null;
+
+ // flag indicating whether an operation is initialized
+ private boolean initialized = false;
+
+ // falg indicating encrypt or decrypt mode
+ private boolean encrypt = true;
+
+ // parameters
+ private byte[] iv = null;
+ private int tagLen = -1;
+ private SecureRandom random = JCAUtil.getSecureRandom();
+
+ // dataBuffer is cleared upon doFinal calls
+ private ByteArrayOutputStream dataBuffer = new ByteArrayOutputStream();
+ // aadBuffer is cleared upon successful init calls
+ private ByteArrayOutputStream aadBuffer = new ByteArrayOutputStream();
+ private boolean updateCalled = false;
+
+ private boolean requireReinit = false;
+ private P11Key lastEncKey = null;
+ private byte[] lastEncIv = null;
+
+ P11AEADCipher(Token token, String algorithm, long mechanism)
+ throws PKCS11Exception, NoSuchAlgorithmException {
+ super();
+ this.token = token;
+ this.mechanism = mechanism;
+
+ String[] algoParts = algorithm.split("/");
+ if (algoParts.length != 3) {
+ throw new ProviderException("Unsupported Transformation format: " +
+ algorithm);
+ }
+ if (!algoParts[0].startsWith("AES")) {
+ throw new ProviderException("Only support AES for AEAD cipher mode");
+ }
+ int index = algoParts[0].indexOf('_');
+ if (index != -1) {
+ // should be well-formed since we specify what we support
+ fixedKeySize = Integer.parseInt(algoParts[0].substring(index+1)) >> 3;
+ } else {
+ fixedKeySize = -1;
+ }
+ this.blockMode = parseMode(algoParts[1]);
+ if (!algoParts[2].equals("NoPadding")) {
+ throw new ProviderException("Only NoPadding is supported for AEAD cipher mode");
+ }
+ }
+
+ protected void engineSetMode(String mode) throws NoSuchAlgorithmException {
+ // Disallow change of mode for now since currently it's explicitly
+ // defined in transformation strings
+ throw new NoSuchAlgorithmException("Unsupported mode " + mode);
+ }
+
+ private int parseMode(String mode) throws NoSuchAlgorithmException {
+ mode = mode.toUpperCase(Locale.ENGLISH);
+ int result;
+ if (mode.equals("GCM")) {
+ result = MODE_GCM;
+ } else {
+ throw new NoSuchAlgorithmException("Unsupported mode " + mode);
+ }
+ return result;
+ }
+
+ // see JCE spec
+ protected void engineSetPadding(String padding)
+ throws NoSuchPaddingException {
+ // Disallow change of padding for now since currently it's explicitly
+ // defined in transformation strings
+ throw new NoSuchPaddingException("Unsupported padding " + padding);
+ }
+
+ // see JCE spec
+ protected int engineGetBlockSize() {
+ return 16; // constant; only AES is supported
+ }
+
+ // see JCE spec
+ protected int engineGetOutputSize(int inputLen) {
+ return doFinalLength(inputLen);
+ }
+
+ // see JCE spec
+ protected byte[] engineGetIV() {
+ return (iv == null) ? null : iv.clone();
+ }
+
+ // see JCE spec
+ protected AlgorithmParameters engineGetParameters() {
+ if (encrypt && iv == null && tagLen == -1) {
+ switch (blockMode) {
+ case MODE_GCM:
+ iv = new byte[GCM_DEFAULT_IV_LEN];
+ tagLen = GCM_DEFAULT_TAG_LEN;
+ break;
+ default:
+ throw new ProviderException("Unsupported mode");
+ }
+ random.nextBytes(iv);
+ }
+ try {
+ AlgorithmParameterSpec spec;
+ String apAlgo;
+ switch (blockMode) {
+ case MODE_GCM:
+ apAlgo = "GCM";
+ spec = new GCMParameterSpec(tagLen << 3, iv);
+ break;
+ default:
+ throw new ProviderException("Unsupported mode");
+ }
+ AlgorithmParameters params =
+ AlgorithmParameters.getInstance(apAlgo);
+ params.init(spec);
+ return params;
+ } catch (GeneralSecurityException e) {
+ // NoSuchAlgorithmException, NoSuchProviderException
+ // InvalidParameterSpecException
+ throw new ProviderException("Could not encode parameters", e);
+ }
+ }
+
+ // see JCE spec
+ protected void engineInit(int opmode, Key key, SecureRandom sr)
+ throws InvalidKeyException {
+ if (opmode == Cipher.DECRYPT_MODE) {
+ throw new InvalidKeyException("Parameters required for decryption");
+ }
+ updateCalled = false;
+ try {
+ implInit(opmode, key, null, -1, sr);
+ } catch (InvalidAlgorithmParameterException e) {
+ throw new InvalidKeyException("init() failed", e);
+ }
+ }
+
+ // see JCE spec
+ protected void engineInit(int opmode, Key key,
+ AlgorithmParameterSpec params, SecureRandom sr)
+ throws InvalidKeyException, InvalidAlgorithmParameterException {
+ if (opmode == Cipher.DECRYPT_MODE && params == null) {
+ throw new InvalidAlgorithmParameterException
+ ("Parameters required for decryption");
+ }
+ updateCalled = false;
+ byte[] ivValue = null;
+ int tagLen = -1;
+ if (params != null) {
+ switch (blockMode) {
+ case MODE_GCM:
+ if (!(params instanceof GCMParameterSpec)) {
+ throw new InvalidAlgorithmParameterException
+ ("Only GCMParameterSpec is supported");
+ }
+ ivValue = ((GCMParameterSpec) params).getIV();
+ tagLen = ((GCMParameterSpec) params).getTLen() >> 3;
+ break;
+ default:
+ throw new ProviderException("Unsupported mode");
+ }
+ }
+ implInit(opmode, key, ivValue, tagLen, sr);
+ }
+
+ // see JCE spec
+ protected void engineInit(int opmode, Key key, AlgorithmParameters params,
+ SecureRandom sr)
+ throws InvalidKeyException, InvalidAlgorithmParameterException {
+ if (opmode == Cipher.DECRYPT_MODE && params == null) {
+ throw new InvalidAlgorithmParameterException
+ ("Parameters required for decryption");
+ }
+ updateCalled = false;
+ try {
+ AlgorithmParameterSpec paramSpec = null;
+ if (params != null) {
+ switch (blockMode) {
+ case MODE_GCM:
+ paramSpec =
+ params.getParameterSpec(GCMParameterSpec.class);
+ break;
+ default:
+ throw new ProviderException("Unsupported mode");
+ }
+ }
+ engineInit(opmode, key, paramSpec, sr);
+ } catch (InvalidParameterSpecException ex) {
+ throw new InvalidAlgorithmParameterException(ex);
+ }
+ }
+
+ // actual init() implementation
+ private void implInit(int opmode, Key key, byte[] iv, int tagLen,
+ SecureRandom sr)
+ throws InvalidKeyException, InvalidAlgorithmParameterException {
+ reset(true);
+ if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) {
+ throw new InvalidKeyException("Key size is invalid");
+ }
+ P11Key newKey = P11SecretKeyFactory.convertKey(token, key, ALGO);
+ switch (opmode) {
+ case Cipher.ENCRYPT_MODE:
+ encrypt = true;
+ requireReinit = Arrays.equals(iv, lastEncIv) &&
+ (newKey == lastEncKey);
+ if (requireReinit) {
+ throw new InvalidAlgorithmParameterException
+ ("Cannot reuse iv for GCM encryption");
+ }
+ break;
+ case Cipher.DECRYPT_MODE:
+ encrypt = false;
+ requireReinit = false;
+ break;
+ default:
+ throw new InvalidAlgorithmParameterException
+ ("Unsupported mode: " + opmode);
+ }
+
+ // decryption without parameters is checked in all engineInit() calls
+ if (sr != null) {
+ this.random = sr;
+ }
+ if (iv == null && tagLen == -1) {
+ // generate default values
+ switch (blockMode) {
+ case MODE_GCM:
+ iv = new byte[GCM_DEFAULT_IV_LEN];
+ this.random.nextBytes(iv);
+ tagLen = GCM_DEFAULT_TAG_LEN;
+ break;
+ default:
+ throw new ProviderException("Unsupported mode");
+ }
+ }
+ this.iv = iv;
+ this.tagLen = tagLen;
+ this.p11Key = newKey;
+ try {
+ initialize();
+ } catch (PKCS11Exception e) {
+ throw new InvalidKeyException("Could not initialize cipher", e);
+ }
+ }
+
+ private void cancelOperation() {
+ // cancel operation by finishing it; avoid killSession as some
+ // hardware vendors may require re-login
+ int bufLen = doFinalLength(0);
+ byte[] buffer = new byte[bufLen];
+ byte[] in = dataBuffer.toByteArray();
+ int inLen = in.length;
+ try {
+ if (encrypt) {
+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen,
+ 0, buffer, 0, bufLen);
+ } else {
+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen,
+ 0, buffer, 0, bufLen);
+ }
+ } catch (PKCS11Exception e) {
+ if (encrypt) {
+ throw new ProviderException("Cancel failed", e);
+ }
+ // ignore failure for decryption
+ }
+ }
+
+ private void ensureInitialized() throws PKCS11Exception {
+ if (initialized && aadBuffer.size() > 0) {
+ // need to cancel first to avoid CKR_OPERATION_ACTIVE
+ reset(true);
+ }
+ if (!initialized) {
+ initialize();
+ }
+ }
+
+ private void initialize() throws PKCS11Exception {
+ if (p11Key == null) {
+ throw new ProviderException(
+ "Operation cannot be performed without"
+ + " calling engineInit first");
+ }
+ if (requireReinit) {
+ throw new IllegalStateException
+ ("Must use either different key or iv for GCM encryption");
+ }
+
+ token.ensureValid();
+
+ byte[] aad = (aadBuffer.size() > 0? aadBuffer.toByteArray() : null);
+
+ long p11KeyID = p11Key.getKeyID();
+ try {
+ if (session == null) {
+ session = token.getOpSession();
+ }
+ CK_MECHANISM mechWithParams;
+ switch (blockMode) {
+ case MODE_GCM:
+ mechWithParams = new CK_MECHANISM(mechanism,
+ new CK_GCM_PARAMS(tagLen << 3, iv, aad));
+ break;
+ default:
+ throw new ProviderException("Unsupported mode: " + blockMode);
+ }
+ if (encrypt) {
+ token.p11.C_EncryptInit(session.id(), mechWithParams,
+ p11KeyID);
+ } else {
+ token.p11.C_DecryptInit(session.id(), mechWithParams,
+ p11KeyID);
+ }
+ } catch (PKCS11Exception e) {
+ //e.printStackTrace();
+ p11Key.releaseKeyID();
+ session = token.releaseSession(session);
+ throw e;
+ } finally {
+ dataBuffer.reset();
+ aadBuffer.reset();
+ }
+ initialized = true;
+ }
+
+ // if doFinal(inLen) is called, how big does the output buffer have to be?
+ private int doFinalLength(int inLen) {
+ if (inLen < 0) {
+ throw new ProviderException("Invalid negative input length");
+ }
+
+ int result = inLen + dataBuffer.size();
+ if (encrypt) {
+ result += tagLen;
+ } else {
+ // PKCS11Exception: CKR_BUFFER_TOO_SMALL
+ //result -= tagLen;
+ }
+ return result;
+ }
+
+ // reset the states to the pre-initialized values
+ private void reset(boolean doCancel) {
+ if (!initialized) {
+ return;
+ }
+ initialized = false;
+
+ try {
+ if (session == null) {
+ return;
+ }
+
More information about the distro-pkg-dev
mailing list