RFR: 8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec [v4]
Michael StJohns
mstjohns at comcast.net
Sat Mar 20 18:11:01 UTC 2021
On 3/20/2021 1:54 PM, SalusaSecondus wrote:
> On Thu, 18 Mar 2021 20:25:59 GMT, Ziyi Luo <luoziyi at openjdk.org> wrote:
>
>>> This looks to cover the cases and fixes we talked about.
>> @valeriepeng Sorry for the delay. There were unknown Windows build failure during the pre-submit tests that I have to rebase my commits on top of the master tip. This new revision should cover all comments you left before. Thank you!
> Mike,
>
> From what I can find, if you try to get a spec from a non-extractable key you'll get an `InvalidKeySpecException`.
> 1. `C_GetAttributeValue`will throw a `PKCS11Exception`
> 2. The `PKCS11Exception` gets caught in [P11KeyFactory](https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyFactory.java#L98-L99) which rethrows it as an `InvalidKeySpecException`.
>
> -------------
>
> PR: https://git.openjdk.java.net/jdk/pull/2949
Given that, I'd refactor the code to pull the CKA_SENSITIVE and
CKA_EXPORTABLE attributes first and throw a more specific message if the
key is not extractable rather than having to fail twice before throwing
the error. (I.e., you try both combos of the attributes and both are
failing on the inability to pull the private exponent).
Either that or fail early by checking the error code of the first thrown
PKCS11Exception against CKR_ATTRIBUTE_SENSITIVE.
> } catch (final PKCS11Exception ex) {
if (ex.getErrorCode() == PKCS11Constants.CKR_ATTRIBUTE_SENSITIVE) {
throw new InvalidKeySpecException ("Sensitive key may not be
extracted", ex);
}
> // bubble this up if RSAPrivateCrtKeySpec is specified
> // otherwise fall through to RSAPrivateKeySpec
> if (!keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) {
> throw ex;
> }
> } finally {
> key.releaseKeyID();
> }
Later, Mike
More information about the security-dev
mailing list