RFR: 8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec [v4]

Fri Mar 19 19:06:28 UTC 2021

On 3/19/2021 2:24 PM, Valerie Peng wrote:
>
> some* reason (even if I cannot figure out why).
> Well, for `P11RSAKeyFactory`, I think some minor modification may be needed given the additional P11PrivateKey type.
> I'd expect it to be something like:
>          // must be either RSAPrivateKeySpec or RSAPrivateCrtKeySpec
>          if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) {
>              session[0] = token.getObjSession();
>              CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
>                  new CK_ATTRIBUTE(CKA_MODULUS),
>                  new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT),
>                  new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT),

If the PKCS11 private key has the CKA_SENSITIVE attribute set to true or 
CKA_EXPORTABLE set to false, you can't retrieve the above attribute.  
AIRC, the contract for getting a Key from an unextractable PKCS11 
private key is to return a key that implements both PrivateKey and 
RSAKey, but doesn't implement either of the RSAPrivateKey interfaces.   
I don't know what the contract is for producing KeySpec's from 
unextractable keys.

Mike

>                  new CK_ATTRIBUTE(CKA_PRIME_1),
>                  new CK_ATTRIBUTE(CKA_PRIME_2),
>                  new CK_ATTRIBUTE(CKA_EXPONENT_1),
>                  new CK_ATTRIBUTE(CKA_EXPONENT_2),
>                  new CK_ATTRIBUTE(CKA_COEFFICIENT),
>              };
>              long keyID = key.getKeyID();
>              try {
>                  token.p11.C_GetAttributeValue(session[0].id(), keyID, attributes);
>                  KeySpec spec = new RSAPrivateCrtKeySpec(
>                      attributes[0].getBigInteger(),
>                      attributes[1].getBigInteger(),
>                      attributes[2].getBigInteger(),
>                      attributes[3].getBigInteger(),
>                      attributes[4].getBigInteger(),
>                      attributes[5].getBigInteger(),
>                      attributes[6].getBigInteger(),
>                      attributes[7].getBigInteger()
>                  );
>                  return keySpec.cast(spec);
>              } catch (final PKCS11Exception ex) {
>                  // bubble this up if RSAPrivateCrtKeySpec is specified
>                  // otherwise fall through to RSAPrivateKeySpec
>                  if (!keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) {
>                      throw ex;
>                  }
>              }  finally {
>                  key.releaseKeyID();
>              }
>
>              attributes = new CK_ATTRIBUTE[] {
>                  new CK_ATTRIBUTE(CKA_MODULUS),
>                  new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT),
>              };
>              keyID = key.getKeyID();
>              try {
>                  token.p11.C_GetAttributeValue(session[0].id(), keyID, attributes);
>              } finally {
>                  key.releaseKeyID();
>              }
>
>              KeySpec spec = new RSAPrivateKeySpec(
>                  attributes[0].getBigInteger(),
>                  attributes[1].getBigInteger()
>              );
>              return keySpec.cast(spec);
>          } else { // PKCS#8 handled in superclass
>              throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec "
>                  + "and PKCS8EncodedKeySpec supported for RSA private keys");
>          }
>      }
>
> -------------
>
> PR: https://git.openjdk.java.net/jdk/pull/2949