From 354f2edc4444d3b2de8e1c3b97946d73d8876f34 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 28 Feb 2023 04:02:39 +0000 Subject: [PATCH] On portable architectures, replace build section with extraction of existing builds from portables Rewrite ELF files so the source file path is correct and debugsources can be assembled Backport SHA-3 support for PKCS11 provider Sync patch set with portable build we are using by removing rh1648644-java_access_bridge_privileged_security.patch Related: RHEL-30918 --- .gitignore | 30 + get_sources.sh | 59 + java-11-openjdk.spec | 340 +- jdk8242332-rh2108712-sha3-sunpkcs11.patch | 2731 +++++++++++++++++ ...va_access_bridge_privileged_security.patch | 20 - sources | 32 +- 6 files changed, 3125 insertions(+), 87 deletions(-) create mode 100755 get_sources.sh create mode 100644 jdk8242332-rh2108712-sha3-sunpkcs11.patch delete mode 100644 rh1648644-java_access_bridge_privileged_security.patch diff --git a/.gitignore b/.gitignore index 06b9390..5d87a3e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,33 @@ SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz /openjdk-jdk11u-jdk-11.0.18+9-4curve.tar.xz /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz /openjdk-jdk11u-jdk-11.0.18+10-4curve.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.s390x.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.docs.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.s390x.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.misc.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.s390x.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.s390x.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.s390x.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.x86_64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.aarch64.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.ppc64le.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.s390x.tar.xz +/java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.x86_64.tar.xz diff --git a/get_sources.sh b/get_sources.sh new file mode 100755 index 0000000..5d83739 --- /dev/null +++ b/get_sources.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +ID=${1} +FEATUREVER=11 + +if [ "x${ID}" = "x" ] ; then + echo "$0 "; + exit 1; +fi + +if [ "x${TMPDIR}" = "x" ] ; then + TMPDIR=/tmp +fi + +downloaddir=${TMPDIR}/download.$$ +mkdir ${downloaddir} +pushd ${downloaddir} +echo "Downloading build ${ID} in ${downloaddir}"; +brew download-build ${ID} + +versionregexp="[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*-[0-9]*" +basename=$(ls|grep java-${FEATUREVER}-openjdk-portable-${versionregexp}.el7openjdkportable.x86_64.rpm) +version=$(echo ${basename}|sed -r "s|^.*-(${versionregexp})\.el7.*$|\1|") + +echo "Downloaded version ${version}" + +# Remove stripped release builds for portable and JREs +rm -vf java-${FEATUREVER}-openjdk-portable-${FEATUREVER}* +rm -vf java-${FEATUREVER}-openjdk-portable-devel-${FEATUREVER}* +rm -vf java-${FEATUREVER}-openjdk-portable-slowdebug-${FEATUREVER}* +rm -vf java-${FEATUREVER}-openjdk-portable-fastdebug-${FEATUREVER}* + +for file in *.rpm; do + rpm2archive ${file}; +done + +mkdir unpacked +for file in *.tgz; do + tar -C unpacked -xzf ${file}; +done + +mkdir ${HOME}/${version} +mv unpacked/usr/lib/jvm/* ${HOME}/${version} + +pushd ${HOME}/${version} +for file in *.sha256sum; do + if ! sha256sum --check ${file} ; then + echo "${file} failed checksum."; + exit 2; + fi +done +popd + +rm -rf unpacked +rm -vf *.tgz +rm -vf *.rpm + +popd + diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index b415eed..82debed 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -146,6 +146,8 @@ %global ssbd_arches x86_64 # Set of architectures where we verify backtraces with gdb %global gdb_arches %{jit_arches} %{zero_arches} +# Set of architectures for which we have a portable build +%global portable_build_arches %{aarch64} %{power64} s390x x86_64 # By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} @@ -243,6 +245,9 @@ # JDK to use for bootstrapping %global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +# debugedit tool for rewriting ELF file paths +%global debugedit %{_rpmconfigdir}/debugedit + # Disable LTO as this causes build failures at the moment. # See RHBZ#1861401 %define _lto_cflags %{nil} @@ -378,7 +383,12 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 3 +%global rpmrelease 4 +# Settings used by the portable build +%global portablerelease 6 +%global portablesuffix el7openjdkportable +%global portablebuilddir /builddir/build/BUILD + #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -453,7 +463,6 @@ %global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ %endif - %global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} %define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} # Standard JPackage directories and symbolic links. @@ -1341,6 +1350,89 @@ Source17: nss.fips.cfg.in # Ensure translations are available for new timezones Source18: TestTranslations.java +# TODO: Portable packages are not yet available in buildroot +# Temporarily add them as sources + +# aarch64 +Source1000: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.unstripped.jdk.el.aarch64.tar.xz +Source1001: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.static-libs.el.aarch64.tar.xz +Source1002: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.docs.el.aarch64.tar.xz +Source1003: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.misc.el.aarch64.tar.xz +Source1004: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.jdk.el.aarch64.tar.xz +Source1005: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.static-libs.el.aarch64.tar.xz +Source1006: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.fastdebug.jdk.el.aarch64.tar.xz +Source1007: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.fastdebug.static-libs.el.aarch64.tar.xz + +# ppc64le +Source2000: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.unstripped.jdk.el.ppc64le.tar.xz +Source2001: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.static-libs.el.ppc64le.tar.xz +Source2002: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.docs.el.ppc64le.tar.xz +Source2003: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.misc.el.ppc64le.tar.xz +Source2004: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.jdk.el.ppc64le.tar.xz +Source2005: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.static-libs.el.ppc64le.tar.xz +Source2006: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.fastdebug.jdk.el.ppc64le.tar.xz +Source2007: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.fastdebug.static-libs.el.ppc64le.tar.xz + +# s390x +Source3000: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.unstripped.jdk.el.s390x.tar.xz +Source3001: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.static-libs.el.s390x.tar.xz +Source3002: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.docs.el.s390x.tar.xz +Source3003: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.misc.el.s390x.tar.xz +Source3004: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.jdk.el.s390x.tar.xz +Source3005: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.static-libs.el.s390x.tar.xz + +# x86_64 +Source4000: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.unstripped.jdk.el.x86_64.tar.xz +Source4001: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.static-libs.el.x86_64.tar.xz +Source4002: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.docs.el.x86_64.tar.xz +Source4003: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.misc.el.x86_64.tar.xz +Source4004: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.jdk.el.x86_64.tar.xz +Source4005: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.slowdebug.static-libs.el.x86_64.tar.xz +Source4006: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.fastdebug.jdk.el.x86_64.tar.xz +Source4007: java-%{featurever}-openjdk-%{VERSION}-%{portablerelease}.portable.fastdebug.static-libs.el.x86_64.tar.xz + +# Setup variables to reference correct sources +%ifarch %{aarch64} +%global releasezip %{SOURCE1000} +%global staticlibzip %{SOURCE1001} +%global docszip %{SOURCE1002} +%global misczip %{SOURCE1003} +%global slowdebugzip %{SOURCE1004} +%global slowdebugstaticlibzip %{SOURCE1005} +%global fastdebugzip %{SOURCE1006} +%global fastdebugstaticlibzip %{SOURCE1007} +%endif +%ifarch %{ppc64le} +%global releasezip %{SOURCE2000} +%global staticlibzip %{SOURCE2001} +%global docszip %{SOURCE2002} +%global misczip %{SOURCE2003} +%global slowdebugzip %{SOURCE2004} +%global slowdebugstaticlibzip %{SOURCE2005} +%global fastdebugzip %{SOURCE2006} +%global fastdebugstaticlibzip %{SOURCE2007} +%endif +%ifarch s390x +%global releasezip %{SOURCE3000} +%global staticlibzip %{SOURCE3001} +%global docszip %{SOURCE3002} +%global misczip %{SOURCE3003} +%global slowdebugzip %{SOURCE3004} +%global slowdebugstaticlibzip %{SOURCE3005} +%global fastdebugzip %{nil} +%global fastdebugstaticlibzip %{nil} +%endif +%ifarch x86_64 +%global releasezip %{SOURCE4000} +%global staticlibzip %{SOURCE4001} +%global docszip %{SOURCE4002} +%global misczip %{SOURCE4003} +%global slowdebugzip %{SOURCE4004} +%global slowdebugstaticlibzip %{SOURCE4005} +%global fastdebugzip %{SOURCE4006} +%global fastdebugstaticlibzip %{SOURCE4007} +%endif + ############################################ # # RPM/distribution specific patches @@ -1349,8 +1441,6 @@ Source18: TestTranslations.java # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) @@ -1397,7 +1487,6 @@ Patch1001: fips-11u-%{fipsver}.patch # be reviewed & pushed to the current development # tree of OpenJDK. ############################################# - Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch ############################################# @@ -1409,6 +1498,7 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 # need to be reviewed & pushed to the appropriate # updates tree of OpenJDK. ############################################# +Patch2001: jdk8242332-rh2108712-sha3-sunpkcs11.patch ############################################# # @@ -1448,7 +1538,19 @@ BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: unzip BuildRequires: javapackages-filesystem +%ifarch %{portable_build_arches} +# TODO: Portable packages are not yet available in buildroot +#BuildRequires: java-%{featurever}-openjdk-portable-unstripped = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-static-libs = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-docs = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-misc = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-devel-fastdebug = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-static-libs-fastdebug = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-devel-slowdebug = %{VERSION} +#BuildRequires: java-%{featurever}-openjdk-portable-static-libs-slowdebug = %{VERSION} +%else BuildRequires: java-%{buildjdkver}-openjdk-devel +%endif # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1483,9 +1585,11 @@ Provides: bundled(lcms2) = 2.12.0 Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h Provides: bundled(libpng) = 1.6.37 +%ifnarch %{portable_build_arches} # We link statically against libstdc++ to increase portability BuildRequires: libstdc++-static %endif +%endif # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder @@ -1831,12 +1935,13 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} %patch1 -p1 -%patch2 -p1 %patch3 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# PKCS11 SHA3 backport +%patch2001 -p1 popd # openjdk %patch600 @@ -1895,6 +2000,8 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build + +%ifnarch %{portable_build_arches} # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2020,12 +2127,12 @@ function installjdk() { echo "Installing images..." mv ${outputdir}/images ${installdir} if [ -d ${outputdir}/bundles ] ; then - echo "Installing bundles..."; - mv ${outputdir}/bundles ${installdir} ; + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; fi if [ -d ${outputdir}/docs ] ; then - echo "Installing docs..."; - mv ${outputdir}/docs ${installdir} ; + echo "Installing docs..."; + mv ${outputdir}/docs ${installdir} ; fi %if !%{with artifacts} @@ -2034,40 +2141,34 @@ function installjdk() { %endif if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd - - # Print release information - cat ${imagepath}/release + # Final setup on the main image + customisejdk ${imagepath} + # Print release information + cat ${imagepath}/release fi } @@ -2081,8 +2182,61 @@ function installjdk() { systemjdk=%{bootjdk} %endif +%endif # !portable_build_arches + +function customisejdk() { + local imagepath=${1} + + if [ -d ${imagepath} ] ; then + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + fi +} + for suffix in %{build_loop} ; do +%ifarch %{portable_build_arches} + + if [ "x$suffix" = "x" ] ; then + jdkzip=%{releasezip} + staticlibzip=%{staticlibzip} + elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then + jdkzip=%{fastdebugzip} + staticlibzip=%{fastdebugstaticlibzip} + else # slowdebug + jdkzip=%{slowdebugzip} + staticlibzip=%{slowdebugstaticlibzip} + fi + + installdir=%{installoutputdir -- ${suffix}} + + # TODO: should verify checksums when using packages from buildroot + tar -xJf ${jdkzip} + tar -xJf ${staticlibzip} + mkdir -p $(dirname ${installdir}) + mv java-%{featurever}-openjdk* ${installdir} + + # Fix build paths in ELF files so it looks like we built them + portablenvr="%{name}-%{VERSION}-%{portablerelease}.%{portablesuffix}.%{_arch}" + for file in $(find ${installdir} -type f) ; do + if file ${file} | grep -q 'ELF'; then + %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} + fi + done + + # Final setup on the main image + customisejdk ${installdir} + + # Print release information + cat ${installdir}/release + +%else + if [ "x$suffix" = "x" ] ; then debugbuild=release else @@ -2090,7 +2244,6 @@ for suffix in %{build_loop} ; do debugbuild=`echo $suffix | sed "s/-//g"` fi - for loop in %{main_suffix} %{staticlibs_loop} ; do builddir=%{buildoutputdir -- ${suffix}${loop}} @@ -2143,24 +2296,42 @@ for suffix in %{build_loop} ; do done # end of main / staticlibs loop +%endif # !portable_build_arches + + # build cycles done # end of release / debug cycle loop +%ifarch %{portable_build_arches} + +docdir=%{installoutputdir -- "-docs"} +tar -xJf %{docszip} +mv java-%{featurever}-openjdk*.docs.* ${docdir} + +miscdir=%{installoutputdir -- "-misc"} +tar -xJf %{misczip} +mv java-%{featurever}-openjdk*.misc.* ${miscdir} + +%endif + %check # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do +%ifarch %{portable_build_arches} +export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}} +%else top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} +%endif %endif -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} - -#check Shenandoah is enabled +# Check Shenandoah is enabled %if %{use_shenandoah_hotspot} -$JAVA_HOME//bin/java -XX:+UseShenandoahGC -version +$JAVA_HOME/bin/java -XX:+UseShenandoahGC -version %endif # Check unlimited policy has been used @@ -2181,8 +2352,9 @@ $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false # Check correct vendor values have been set -$JAVA_HOME/bin/javac -d . %{SOURCE16} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" +# TODO: Disable for now due to bug URL mismatch with that in portable +#$JAVA_HOME/bin/javac -d . %{SOURCE16} +#$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -2200,10 +2372,14 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR %if %{include_staticlibs} +%ifarch %{portable_build_arches} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc +%else +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib +%endif +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c %endif so_suffix="so" @@ -2253,7 +2429,7 @@ done # Make sure gdb can do a backtrace based on line numbers on libjvm.so # javaCalls.cpp:58 should map to: -# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 # Using line number 1 might cause build problems. See: # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 @@ -2293,11 +2469,29 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do +%ifarch %{portable_build_arches} +jdk_image=$(pwd)/%{installoutputdir -- ${suffix}} +# Should match same definitions in build section +docdir=$(pwd)/%{installoutputdir -- "-docs"} +miscdir=%{installoutputdir -- "-misc"} +%else top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}} %endif jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} +docdir=${top_dir_abs_main_build_path}/images +miscdir=%{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11 +%endif + +# Install release notes +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} +install -d -m 755 ${commondocdir} +%ifarch %{portable_build_arches} +mv ${jdk_image}/NEWS ${commondocdir} +%else +cp -a %{SOURCE10} ${commondocdir} +%endif # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} @@ -2346,35 +2540,39 @@ pushd ${jdk_image} rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man popd + +%ifnarch %{portable_build_arches} # Install static libs artefacts %if %{include_staticlibs} mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc %endif +%endif if ! echo $suffix | grep -q "debug" ; then - # Install Javadoc documentation - install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ - $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ + # Install Javadoc documentation + install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} + cp -a ${docdir}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip +%ifarch %{portable_build_arches} + cp -a ${docdir}/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip +%else + cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ +%endif fi -# Install release notes -commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} -install -d -m 755 ${commondocdir} -cp -a %{SOURCE10} ${commondocdir} - # Install icons and menu entries for s in 16 24 32 48 ; do install -D -p -m 644 \ - %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ + ${miscdir}/java-icon${s}.png \ $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png done # Install desktop files +# TODO: provide desktop files via portable install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps} for e in jconsole$suffix ; do desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \ @@ -2386,8 +2584,11 @@ done mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs # copy samples next to demos; samples are mostly js files +%ifarch %{portable_build_arches} +cp -r ${miscdir}/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ +%else cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ - +%endif # moving config files to /etc mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} @@ -2403,9 +2604,9 @@ popd # end moving files to /etc # stabilize permissions -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; # end, dual install done @@ -2676,6 +2877,13 @@ end %endif %changelog +* Tue Feb 28 2023 Andrew Hughes - 1:11.0.18.0.10-4 +- On portable architectures, replace build section with extraction of existing builds from portables +- Rewrite ELF files so the source file path is correct and debugsources can be assembled +- Backport SHA-3 support for PKCS11 provider +- Sync patch set with portable build we are using by removing rh1648644-java_access_bridge_privileged_security.patch +- Related: RHEL-30918 + * Wed Jan 11 2023 Andrew Hughes - 1:11.0.18.0.10-3 - Update to jdk-11.0.18+10 (GA) - Update release notes to 11.0.18+10 @@ -3881,7 +4089,7 @@ end - Removed unneeded patches: PStack-808293.patch multiple-pkcs11-library-init.patch - ppc_stack_overflow_fix.patch + ppc_stack_overflow_fix.patch - Added patches for s390 Zero builds: JDK-8201495-s390-java-opts.patch JDK-8201509-s390-atomic_store.patch diff --git a/jdk8242332-rh2108712-sha3-sunpkcs11.patch b/jdk8242332-rh2108712-sha3-sunpkcs11.patch new file mode 100644 index 0000000..a6192a4 --- /dev/null +++ b/jdk8242332-rh2108712-sha3-sunpkcs11.patch @@ -0,0 +1,2731 @@ +commit 81c2107a9188680f7c35ebc7697b292d5972436e +Author: Andrew Hughes +Date: Mon Feb 27 13:22:43 2023 +0000 + + Backport 78be334c3817a1b5840922a9bf1339a40dcc5185 + +diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java +index 92ecb9adc0c..a5848c96aad 100644 +--- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java ++++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java +@@ -155,6 +155,14 @@ public enum KnownOIDs { + SHA256withDSA("2.16.840.1.101.3.4.3.2"), + SHA384withDSA("2.16.840.1.101.3.4.3.3"), + SHA512withDSA("2.16.840.1.101.3.4.3.4"), ++ SHA3_224withDSA("2.16.840.1.101.3.4.3.5", "SHA3-224withDSA"), ++ SHA3_256withDSA("2.16.840.1.101.3.4.3.6", "SHA3-256withDSA"), ++ SHA3_384withDSA("2.16.840.1.101.3.4.3.7", "SHA3-384withDSA"), ++ SHA3_512withDSA("2.16.840.1.101.3.4.3.8", "SHA3-512withDSA"), ++ SHA3_224withECDSA("2.16.840.1.101.3.4.3.9", "SHA3-224withECDSA"), ++ SHA3_256withECDSA("2.16.840.1.101.3.4.3.10", "SHA3-256withECDSA"), ++ SHA3_384withECDSA("2.16.840.1.101.3.4.3.11", "SHA3-384withECDSA"), ++ SHA3_512withECDSA("2.16.840.1.101.3.4.3.12", "SHA3-512withECDSA"), + SHA3_224withRSA("2.16.840.1.101.3.4.3.13", "SHA3-224withRSA"), + SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"), + SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"), +diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java +index 32c089fd96d..7d5c0c7e299 100644 +--- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java ++++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java +@@ -168,4 +168,22 @@ public class SignatureUtil { + InvalidKeyException { + SharedSecrets.getJavaSecuritySignatureAccess().initSign(s, key, params, sr); + } ++ ++ /** ++ * Extracts the digest algorithm name from a signature ++ * algorithm name in either the "DIGESTwithENCRYPTION" or the ++ * "DIGESTwithENCRYPTIONandWHATEVER" format. ++ * ++ * It's OK to return "SHA1" instead of "SHA-1". ++ */ ++ public static String extractDigestAlgFromDwithE(String signatureAlgorithm) { ++ signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH); ++ int with = signatureAlgorithm.indexOf("WITH"); ++ if (with > 0) { ++ return signatureAlgorithm.substring(0, with); ++ } else { ++ throw new IllegalArgumentException( ++ "Unknown algorithm: " + signatureAlgorithm); ++ } ++ } + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java +index 41fe61b8a16..daf0bc9f69c 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -41,7 +41,8 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * MessageDigest implementation class. This class currently supports +- * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. ++ * MD2, MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512) ++ * and SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) of digests. + * + * Note that many digest operations are on fairly small amounts of data + * (less than 100 bytes total). For example, the 2nd hashing in HMAC or +@@ -104,16 +105,20 @@ final class P11Digest extends MessageDigestSpi implements Cloneable, + break; + case (int)CKM_SHA224: + case (int)CKM_SHA512_224: ++ case (int)CKM_SHA3_224: + digestLength = 28; + break; + case (int)CKM_SHA256: + case (int)CKM_SHA512_256: ++ case (int)CKM_SHA3_256: + digestLength = 32; + break; + case (int)CKM_SHA384: ++ case (int)CKM_SHA3_384: + digestLength = 48; + break; + case (int)CKM_SHA512: ++ case (int)CKM_SHA3_512: + digestLength = 64; + break; + default: +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java +index 926414608cb..f343e6025e1 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java +@@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * KeyGenerator implementation class. This class currently supports +- * DES, DESede, AES, ARCFOUR, and Blowfish. ++ * DES, DESede, AES, ARCFOUR, Blowfish, Hmac using MD5, SHA, SHA-2 family ++ * (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256), and SHA-3 ++ * family (SHA3-224, SHA3-256, SHA3-384, SHA3-512) of digests. + * + * @author Andreas Sterbenz + * @since 1.5 +@@ -65,6 +67,48 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + // are supported. + private boolean supportBothKeySizes; + ++ // for determining if the specified key size is valid ++ private final CK_MECHANISM_INFO range; ++ ++ // utility method for query the native key sizes and enforcing the ++ // java-specific lower limit; returned values are in bits ++ private static CK_MECHANISM_INFO getSupportedRange(Token token, ++ long mech) throws ProviderException { ++ // No need to query for fix-length algorithms ++ if (mech == CKM_DES_KEY_GEN || mech == CKM_DES2_KEY_GEN || ++ mech == CKM_DES3_KEY_GEN) { ++ return null; ++ } ++ ++ // Explicitly disallow keys shorter than 40-bits for security ++ int lower = 40; ++ int upper = Integer.MAX_VALUE; ++ try { ++ CK_MECHANISM_INFO info = token.getMechanismInfo(mech); ++ if (info != null) { ++ boolean isBytes = ((mech != CKM_GENERIC_SECRET_KEY_GEN ++ && mech != CKM_RC4_KEY_GEN) || info.iMinKeySize < 8); ++ lower = Math.max(lower, (isBytes? ++ Math.multiplyExact(info.iMinKeySize, 8) : ++ info.iMinKeySize)); ++ // NSS CKM_GENERIC_SECRET_KEY_GEN mech info is not precise; ++ // its upper limit is too low and does not match its impl ++ if (mech == CKM_GENERIC_SECRET_KEY_GEN && ++ info.iMaxKeySize <= 32) { ++ // ignore and leave upper limit at MAX_VALUE; ++ } else if (info.iMaxKeySize != Integer.MAX_VALUE) { ++ upper = (isBytes? ++ Math.multiplyExact(info.iMaxKeySize, 8) : ++ info.iMaxKeySize); ++ } ++ } ++ } catch (PKCS11Exception p11e) { ++ // Should never happen ++ throw new ProviderException("Cannot retrieve mechanism info", p11e); ++ } ++ return new CK_MECHANISM_INFO(lower, upper, 0 /* flags not used */); ++ } ++ + /** + * Utility method for checking if the specified key size is valid + * and within the supported range. Return the significant key size +@@ -78,8 +122,15 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + * @throws ProviderException if this mechanism isn't supported by SunPKCS11 + * or underlying native impl. + */ ++ // called by P11SecretKeyFactory to check key size + static int checkKeySize(long keyGenMech, int keySize, Token token) + throws InvalidAlgorithmParameterException, ProviderException { ++ CK_MECHANISM_INFO range = getSupportedRange(token, keyGenMech); ++ return checkKeySize(keyGenMech, keySize, range); ++ } ++ ++ private static int checkKeySize(long keyGenMech, int keySize, ++ CK_MECHANISM_INFO range) throws InvalidAlgorithmParameterException { + int sigKeySize; + switch ((int)keyGenMech) { + case (int)CKM_DES_KEY_GEN: +@@ -102,45 +153,17 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + break; + default: + // Handle all variable-key-length algorithms here +- CK_MECHANISM_INFO info = null; +- try { +- info = token.getMechanismInfo(keyGenMech); +- } catch (PKCS11Exception p11e) { +- // Should never happen +- throw new ProviderException +- ("Cannot retrieve mechanism info", p11e); +- } +- if (info == null) { +- // XXX Unable to retrieve the supported key length from +- // the underlying native impl. Skip the checking for now. +- return keySize; +- } +- // PKCS#11 defines these to be in number of bytes except for +- // RC4 which is in bits. However, some PKCS#11 impls still use +- // bytes for all mechs, e.g. NSS. We try to detect this +- // inconsistency if the minKeySize seems unreasonably small. +- int minKeySize = info.iMinKeySize; +- int maxKeySize = info.iMaxKeySize; +- if (keyGenMech != CKM_RC4_KEY_GEN || minKeySize < 8) { +- minKeySize = Math.multiplyExact(minKeySize, 8); +- if (maxKeySize != Integer.MAX_VALUE) { +- maxKeySize = Math.multiplyExact(maxKeySize, 8); +- } +- } +- // Explicitly disallow keys shorter than 40-bits for security +- if (minKeySize < 40) minKeySize = 40; +- if (keySize < minKeySize || keySize > maxKeySize) { ++ if (range != null && keySize < range.iMinKeySize ++ || keySize > range.iMaxKeySize) { + throw new InvalidAlgorithmParameterException +- ("Key length must be between " + minKeySize + +- " and " + maxKeySize + " bits"); ++ ("Key length must be between " + range.iMinKeySize + ++ " and " + range.iMaxKeySize + " bits"); + } + if (keyGenMech == CKM_AES_KEY_GEN) { + if ((keySize != 128) && (keySize != 192) && + (keySize != 256)) { + throw new InvalidAlgorithmParameterException +- ("AES key length must be " + minKeySize + +- (maxKeySize >= 192? ", 192":"") + +- (maxKeySize >= 256? ", or 256":"") + " bits"); ++ ("AES key length must be 128, 192, or 256 bits"); + } + } + sigKeySize = keySize; +@@ -148,6 +171,20 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + return sigKeySize; + } + ++ // check the supplied keysize (in bits) and adjust it based on the given ++ // range ++ private static int adjustKeySize(int ks, CK_MECHANISM_INFO mi) { ++ // adjust to fit within the supported range ++ if (mi != null) { ++ if (ks < mi.iMinKeySize) { ++ ks = mi.iMinKeySize; ++ } else if (ks > mi.iMaxKeySize) { ++ ks = mi.iMaxKeySize; ++ } ++ } ++ return ks; ++ } ++ + P11KeyGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); +@@ -164,54 +201,140 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + (token.provider.config.isEnabled(CKM_DES2_KEY_GEN) && + (token.getMechanismInfo(CKM_DES2_KEY_GEN) != null)); + } +- setDefaultKeySize(); ++ this.range = getSupportedRange(token, mechanism); ++ setDefault(); + } + +- // set default keysize and also initialize keyType +- private void setDefaultKeySize() { ++ // set default keysize and keyType ++ private void setDefault() { ++ significantKeySize = -1; + switch ((int)mechanism) { + case (int)CKM_DES_KEY_GEN: + keySize = 64; + keyType = CKK_DES; ++ significantKeySize = 56; + break; + case (int)CKM_DES2_KEY_GEN: + keySize = 128; + keyType = CKK_DES2; ++ significantKeySize = 112; + break; + case (int)CKM_DES3_KEY_GEN: + keySize = 192; + keyType = CKK_DES3; ++ significantKeySize = 168; + break; + case (int)CKM_AES_KEY_GEN: +- keySize = 128; ++ keySize = adjustKeySize(128, range); + keyType = CKK_AES; + break; + case (int)CKM_RC4_KEY_GEN: +- keySize = 128; ++ keySize = adjustKeySize(128, range); + keyType = CKK_RC4; + break; + case (int)CKM_BLOWFISH_KEY_GEN: +- keySize = 128; ++ keySize = adjustKeySize(128, range); + keyType = CKK_BLOWFISH; + break; + case (int)CKM_CHACHA20_KEY_GEN: + keySize = 256; + keyType = CKK_CHACHA20; + break; ++ case (int)CKM_SHA_1_KEY_GEN: ++ keySize = adjustKeySize(160, range); ++ keyType = CKK_SHA_1_HMAC; ++ break; ++ case (int)CKM_SHA224_KEY_GEN: ++ keySize = adjustKeySize(224, range); ++ keyType = CKK_SHA224_HMAC; ++ break; ++ case (int)CKM_SHA256_KEY_GEN: ++ keySize = adjustKeySize(256, range); ++ keyType = CKK_SHA256_HMAC; ++ break; ++ case (int)CKM_SHA384_KEY_GEN: ++ keySize = adjustKeySize(384, range); ++ keyType = CKK_SHA384_HMAC; ++ break; ++ case (int)CKM_SHA512_KEY_GEN: ++ keySize = adjustKeySize(512, range); ++ keyType = CKK_SHA512_HMAC; ++ break; ++ case (int)CKM_SHA512_224_KEY_GEN: ++ keySize = adjustKeySize(224, range); ++ keyType = CKK_SHA512_224_HMAC; ++ break; ++ case (int)CKM_SHA512_256_KEY_GEN: ++ keySize = adjustKeySize(256, range); ++ keyType = CKK_SHA512_256_HMAC; ++ break; ++ case (int)CKM_SHA3_224_KEY_GEN: ++ keySize = adjustKeySize(224, range); ++ keyType = CKK_SHA3_224_HMAC; ++ break; ++ case (int)CKM_SHA3_256_KEY_GEN: ++ keySize = adjustKeySize(256, range); ++ keyType = CKK_SHA3_256_HMAC; ++ break; ++ case (int)CKM_SHA3_384_KEY_GEN: ++ keySize = adjustKeySize(384, range); ++ keyType = CKK_SHA3_384_HMAC; ++ break; ++ case (int)CKM_SHA3_512_KEY_GEN: ++ keySize = adjustKeySize(512, range); ++ keyType = CKK_SHA3_512_HMAC; ++ break; ++ case (int)CKM_GENERIC_SECRET_KEY_GEN: ++ if (algorithm.startsWith("Hmac")) { ++ String digest = algorithm.substring(4); ++ switch (digest) { ++ case "MD5": ++ keySize = 512; ++ break; ++ case "SHA1": ++ keySize = 160; ++ break; ++ case "SHA224": ++ case "SHA512/224": ++ case "SHA3-224": ++ keySize = 224; ++ break; ++ case "SHA256": ++ case "SHA512/256": ++ case "SHA3-256": ++ keySize = 256; ++ break; ++ case "SHA384": ++ case "SHA3-384": ++ keySize = 384; ++ break; ++ case "SHA512": ++ case "SHA3-512": ++ keySize = 512; ++ break; ++ default: ++ throw new ProviderException("Unsupported algorithm " + ++ algorithm); ++ } ++ keySize = adjustKeySize(keySize, range); ++ } else { ++ throw new ProviderException("Unsupported algorithm " + ++ algorithm); ++ } ++ keyType = CKK_GENERIC_SECRET; ++ break; + default: + throw new ProviderException("Unknown mechanism " + mechanism); + } +- try { +- significantKeySize = checkKeySize(mechanism, keySize, token); +- } catch (InvalidAlgorithmParameterException iape) { +- throw new ProviderException("Unsupported default key size", iape); ++ if (significantKeySize == -1) { ++ significantKeySize = keySize; + } + } + + // see JCE spec + protected void engineInit(SecureRandom random) { + token.ensureValid(); +- setDefaultKeySize(); ++ setDefault(); + } + + // see JCE spec +@@ -226,7 +349,7 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + token.ensureValid(); + int newSignificantKeySize; + try { +- newSignificantKeySize = checkKeySize(mechanism, keySize, token); ++ newSignificantKeySize = checkKeySize(mechanism, keySize, range); + } catch (InvalidAlgorithmParameterException iape) { + throw (InvalidParameterException) + (new InvalidParameterException().initCause(iape)); +@@ -258,10 +381,11 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes; +- switch ((int)keyType) { +- case (int)CKK_DES: +- case (int)CKK_DES2: +- case (int)CKK_DES3: ++ ++ switch ((int)mechanism) { ++ case (int)CKM_DES_KEY_GEN: ++ case (int)CKM_DES2_KEY_GEN: ++ case (int)CKM_DES3_KEY_GEN: + // fixed length, do not specify CKA_VALUE_LEN + attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), +@@ -286,5 +410,4 @@ final class P11KeyGenerator extends KeyGeneratorSpi { + token.releaseSession(session); + } + } +- + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +index c88e4a6ace5..29b26651c39 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +@@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * MAC implementation class. This class currently supports HMAC using +- * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC +- * using MD5 and SHA-1. ++ * MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512), ++ * SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512), and the ++ * SSL3 MAC using MD5 and SHA-1. + * + * Note that unlike other classes (e.g. Signature), this does not + * composite various operations if the token only supports part of the +@@ -92,16 +93,20 @@ final class P11Mac extends MacSpi { + break; + case (int)CKM_SHA224_HMAC: + case (int)CKM_SHA512_224_HMAC: ++ case (int)CKM_SHA3_224_HMAC: + macLength = 28; + break; + case (int)CKM_SHA256_HMAC: + case (int)CKM_SHA512_256_HMAC: ++ case (int)CKM_SHA3_256_HMAC: + macLength = 32; + break; + case (int)CKM_SHA384_HMAC: ++ case (int)CKM_SHA3_384_HMAC: + macLength = 48; + break; + case (int)CKM_SHA512_HMAC: ++ case (int)CKM_SHA3_512_HMAC: + macLength = 64; + break; + case (int)CKM_SSL3_MD5_MAC: +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +index 26eaa4735f1..905b6ea9562 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +@@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec; + import java.security.spec.PSSParameterSpec; + import java.security.interfaces.*; + import sun.security.pkcs11.wrapper.*; ++import sun.security.util.KnownOIDs; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + +@@ -52,6 +53,10 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + * . SHA256withRSASSA-PSS + * . SHA384withRSASSA-PSS + * . SHA512withRSASSA-PSS ++ * . SHA3-224withRSASSA-PSS ++ * . SHA3-256withRSASSA-PSS ++ * . SHA3-384withRSASSA-PSS ++ * . SHA3-512withRSASSA-PSS + * + * Note that the underlying PKCS#11 token may support complete signature + * algorithm (e.g. CKM__RSA_PKCS_PSS), or it may just +@@ -71,20 +76,28 @@ final class P11PSSSignature extends SignatureSpi { + + static { + DIGEST_LENGTHS.put("SHA-1", 20); +- DIGEST_LENGTHS.put("SHA", 20); +- DIGEST_LENGTHS.put("SHA1", 20); + DIGEST_LENGTHS.put("SHA-224", 28); +- DIGEST_LENGTHS.put("SHA224", 28); + DIGEST_LENGTHS.put("SHA-256", 32); +- DIGEST_LENGTHS.put("SHA256", 32); + DIGEST_LENGTHS.put("SHA-384", 48); +- DIGEST_LENGTHS.put("SHA384", 48); + DIGEST_LENGTHS.put("SHA-512", 64); +- DIGEST_LENGTHS.put("SHA512", 64); + DIGEST_LENGTHS.put("SHA-512/224", 28); +- DIGEST_LENGTHS.put("SHA512/224", 28); + DIGEST_LENGTHS.put("SHA-512/256", 32); +- DIGEST_LENGTHS.put("SHA512/256", 32); ++ DIGEST_LENGTHS.put("SHA3-224", 28); ++ DIGEST_LENGTHS.put("SHA3-256", 32); ++ DIGEST_LENGTHS.put("SHA3-384", 48); ++ DIGEST_LENGTHS.put("SHA3-512", 64); ++ } ++ ++ // utility method for looking up the std digest algorithms ++ private static String toStdName(String givenDigestAlg) { ++ if (givenDigestAlg == null) return null; ++ ++ KnownOIDs given2 = KnownOIDs.findMatch(givenDigestAlg); ++ if (given2 == null) { ++ return givenDigestAlg; ++ } else { ++ return given2.stdName(); ++ } + } + + // utility method for comparing digest algorithms +@@ -92,24 +105,8 @@ final class P11PSSSignature extends SignatureSpi { + private static boolean isDigestEqual(String stdAlg, String givenAlg) { + if (stdAlg == null || givenAlg == null) return false; + +- if (givenAlg.indexOf("-") != -1) { +- return stdAlg.equalsIgnoreCase(givenAlg); +- } else { +- if (stdAlg.equals("SHA-1")) { +- return (givenAlg.equalsIgnoreCase("SHA") +- || givenAlg.equalsIgnoreCase("SHA1")); +- } else { +- StringBuilder sb = new StringBuilder(givenAlg); +- // case-insensitive check +- if (givenAlg.regionMatches(true, 0, "SHA", 0, 3)) { +- givenAlg = sb.insert(3, "-").toString(); +- return stdAlg.equalsIgnoreCase(givenAlg); +- } else { +- throw new ProviderException("Unsupported digest algorithm " +- + givenAlg); +- } +- } +- } ++ givenAlg = toStdName(givenAlg); ++ return stdAlg.equalsIgnoreCase(givenAlg); + } + + // token instance +@@ -172,26 +169,57 @@ final class P11PSSSignature extends SignatureSpi { + this.algorithm = algorithm; + this.mechanism = new CK_MECHANISM(mechId); + int idx = algorithm.indexOf("with"); +- this.mdAlg = (idx == -1? null : algorithm.substring(0, idx)); ++ // convert to stdName ++ this.mdAlg = (idx == -1? ++ null : toStdName(algorithm.substring(0, idx))); ++ + switch ((int)mechId) { + case (int)CKM_SHA1_RSA_PKCS_PSS: + case (int)CKM_SHA224_RSA_PKCS_PSS: + case (int)CKM_SHA256_RSA_PKCS_PSS: + case (int)CKM_SHA384_RSA_PKCS_PSS: + case (int)CKM_SHA512_RSA_PKCS_PSS: ++ case (int)CKM_SHA3_224_RSA_PKCS_PSS: ++ case (int)CKM_SHA3_256_RSA_PKCS_PSS: ++ case (int)CKM_SHA3_384_RSA_PKCS_PSS: ++ case (int)CKM_SHA3_512_RSA_PKCS_PSS: + type = T_UPDATE; ++ this.md = null; + break; + case (int)CKM_RSA_PKCS_PSS: ++ // check if the digest algo is supported by underlying PKCS11 lib ++ if (this.mdAlg != null && token.getMechanismInfo ++ (Functions.getHashMechId(this.mdAlg)) == null) { ++ throw new NoSuchAlgorithmException("Unsupported algorithm: " + ++ algorithm); ++ } ++ this.md = (this.mdAlg == null? null : ++ MessageDigest.getInstance(this.mdAlg)); + type = T_DIGEST; + break; + default: + throw new ProviderException("Unsupported mechanism: " + mechId); + } +- this.md = null; ++ } ++ ++ private static PSSParameterSpec genDefaultParams(String digestAlg, ++ P11Key key) throws SignatureException { ++ int mdLen; ++ try { ++ mdLen = DIGEST_LENGTHS.get(digestAlg); ++ } catch (NullPointerException npe) { ++ throw new SignatureException("Unsupported digest: " + ++ digestAlg); ++ } ++ int saltLen = Integer.min(mdLen, (key.length() >> 3) - mdLen -2); ++ return new PSSParameterSpec(digestAlg, ++ "MGF1", new MGF1ParameterSpec(digestAlg), ++ saltLen, PSSParameterSpec.TRAILER_FIELD_BC); + } + + private void ensureInitialized() throws SignatureException { + token.ensureValid(); ++ + if (this.p11Key == null) { + throw new SignatureException("Missing key"); + } +@@ -200,20 +228,19 @@ final class P11PSSSignature extends SignatureSpi { + // PSS Parameters are required for signature verification + throw new SignatureException + ("Parameters required for RSASSA-PSS signature"); +- } else { +- int saltLen = DIGEST_LENGTHS.get(this.mdAlg).intValue(); +- // generate default params for both sign and verify? +- this.sigParams = new PSSParameterSpec(this.mdAlg, +- "MGF1", new MGF1ParameterSpec(this.mdAlg), +- saltLen, PSSParameterSpec.TRAILER_FIELD_BC); +- this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS( +- this.mdAlg, "MGF1", this.mdAlg, +- DIGEST_LENGTHS.get(this.mdAlg).intValue())); + } ++ // generate default params for both sign and verify? ++ this.sigParams = genDefaultParams(this.mdAlg, this.p11Key); ++ this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS( ++ this.mdAlg, "MGF1", this.mdAlg, sigParams.getSaltLength())); + } + + if (initialized == false) { +- initialize(); ++ try { ++ initialize(); ++ } catch (ProviderException pe) { ++ throw new SignatureException(pe); ++ } + } + } + +@@ -286,7 +313,7 @@ final class P11PSSSignature extends SignatureSpi { + } + + // assumes current state is initialized == false +- private void initialize() { ++ private void initialize() throws ProviderException { + if (DEBUG) System.out.println("Initializing"); + + if (p11Key == null) { +@@ -363,7 +390,8 @@ final class P11PSSSignature extends SignatureSpi { + if (this.sigParams != null) { + String digestAlg = this.sigParams.getDigestAlgorithm(); + int sLen = this.sigParams.getSaltLength(); +- int hLen = DIGEST_LENGTHS.get(digestAlg).intValue(); ++ ++ int hLen = DIGEST_LENGTHS.get(toStdName(digestAlg)).intValue(); + int minKeyLen = Math.addExact(Math.addExact(sLen, hLen), 2); + + if (keySize < minKeyLen) { +@@ -387,12 +415,24 @@ final class P11PSSSignature extends SignatureSpi { + if (params == this.sigParams) return; + + String digestAlgorithm = params.getDigestAlgorithm(); +- if (this.mdAlg != null && !isDigestEqual(digestAlgorithm, this.mdAlg)) { ++ if (this.mdAlg != null && !isDigestEqual(this.mdAlg, digestAlgorithm)) { + throw new InvalidAlgorithmParameterException + ("Digest algorithm in Signature parameters must be " + + this.mdAlg); + } +- Integer digestLen = DIGEST_LENGTHS.get(digestAlgorithm); ++ ++ try { ++ if (token.getMechanismInfo(Functions.getHashMechId ++ (digestAlgorithm)) == null) { ++ throw new InvalidAlgorithmParameterException ++ ("Unsupported digest algorithm: " + digestAlgorithm); ++ } ++ } catch (PKCS11Exception pe) { ++ // should not happen ++ throw new InvalidAlgorithmParameterException(pe); ++ } ++ ++ Integer digestLen = DIGEST_LENGTHS.get(toStdName(digestAlgorithm)); + if (digestLen == null) { + throw new InvalidAlgorithmParameterException + ("Unsupported digest algorithm in Signature parameters: " + +@@ -465,8 +505,14 @@ final class P11PSSSignature extends SignatureSpi { + mode = M_VERIFY; + p11Key = P11KeyFactory.convertKey(token, publicKey, KEY_ALGO); + +- // For PSS, defer PKCS11 initialization calls to update/doFinal as it +- // needs both key and params ++ // attempt initialization when key and params are both available ++ if (this.p11Key != null && this.sigParams != null) { ++ try { ++ initialize(); ++ } catch (ProviderException pe) { ++ throw new InvalidKeyException(pe); ++ } ++ } + } + + // see JCA spec +@@ -487,8 +533,14 @@ final class P11PSSSignature extends SignatureSpi { + mode = M_SIGN; + p11Key = P11KeyFactory.convertKey(token, privateKey, KEY_ALGO); + +- // For PSS, defer PKCS11 initialization calls to update/doFinal as it +- // needs both key and params ++ // attempt initialization when key and params are both available ++ if (this.p11Key != null && this.sigParams != null) { ++ try { ++ initialize(); ++ } catch (ProviderException pe) { ++ throw new InvalidKeyException(pe); ++ } ++ } + } + + // see JCA spec +@@ -698,6 +750,15 @@ final class P11PSSSignature extends SignatureSpi { + throw new InvalidAlgorithmParameterException(nsae); + } + } ++ ++ // attempt initialization when key and params are both available ++ if (this.p11Key != null && this.sigParams != null) { ++ try { ++ initialize(); ++ } catch (ProviderException pe) { ++ throw new InvalidAlgorithmParameterException(pe); ++ } ++ } + } + + // see JCA spec +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java +index e3af106d05a..e49edf32c29 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java +@@ -51,8 +51,15 @@ import sun.security.util.KeyUtil; + * . DSA + * . NONEwithDSA (RawDSA) + * . SHA1withDSA +- * . NONEwithDSAinP1363Format (RawDSAinP1363Format) +- * . SHA1withDSAinP1363Format ++ * . SHA224withDSA ++ * . SHA256withDSA ++ * . SHA384withDSA ++ * . SHA512withDSA ++ * . SHA3-224withDSA ++ * . SHA3-256withDSA ++ * . SHA3-384withDSA ++ * . SHA3-512withDSA ++ * . inP1363Format + * . RSA: + * . MD2withRSA + * . MD5withRSA +@@ -61,6 +68,10 @@ import sun.security.util.KeyUtil; + * . SHA256withRSA + * . SHA384withRSA + * . SHA512withRSA ++ * . SHA3-224withRSA ++ * . SHA3-256withRSA ++ * . SHA3-384withRSA ++ * . SHA3-512withRSA + * . ECDSA + * . NONEwithECDSA + * . SHA1withECDSA +@@ -68,12 +79,11 @@ import sun.security.util.KeyUtil; + * . SHA256withECDSA + * . SHA384withECDSA + * . SHA512withECDSA +- * . NONEwithECDSAinP1363Format +- * . SHA1withECDSAinP1363Format +- * . SHA224withECDSAinP1363Format +- * . SHA256withECDSAinP1363Format +- * . SHA384withECDSAinP1363Format +- * . SHA512withECDSAinP1363Format ++ * . SHA3_224withECDSA ++ * . SHA3_256withECDSA ++ * . SHA3_384withECDSA ++ * . SHA3_512withECDSA ++ * . inP1363Format + * + * Note that the underlying PKCS#11 token may support complete signature + * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just +@@ -144,10 +154,11 @@ final class P11Signature extends SignatureSpi { + // constant for type raw, used with RawDSA and NONEwithECDSA only + private final static int T_RAW = 3; + +- // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", +- // but this is a little arbitrary ++ // PKCS#11 spec for CKM_ECDSA states that the length should not be longer ++ // than 1024 bits", but this is a little arbitrary + private final static int RAW_ECDSA_MAX = 128; + ++ + P11Signature(Token token, String algorithm, long mechanism) + throws NoSuchAlgorithmException, PKCS11Exception { + super(); +@@ -165,16 +176,36 @@ final class P11Signature extends SignatureSpi { + case (int)CKM_SHA256_RSA_PKCS: + case (int)CKM_SHA384_RSA_PKCS: + case (int)CKM_SHA512_RSA_PKCS: ++ case (int)CKM_SHA3_224_RSA_PKCS: ++ case (int)CKM_SHA3_256_RSA_PKCS: ++ case (int)CKM_SHA3_384_RSA_PKCS: ++ case (int)CKM_SHA3_512_RSA_PKCS: + keyAlgorithm = "RSA"; + type = T_UPDATE; + buffer = new byte[1]; + break; + case (int)CKM_DSA_SHA1: ++ case (int)CKM_DSA_SHA224: ++ case (int)CKM_DSA_SHA256: ++ case (int)CKM_DSA_SHA384: ++ case (int)CKM_DSA_SHA512: ++ case (int)CKM_DSA_SHA3_224: ++ case (int)CKM_DSA_SHA3_256: ++ case (int)CKM_DSA_SHA3_384: ++ case (int)CKM_DSA_SHA3_512: + keyAlgorithm = "DSA"; + type = T_UPDATE; + buffer = new byte[1]; + break; + case (int)CKM_ECDSA_SHA1: ++ case (int)CKM_ECDSA_SHA224: ++ case (int)CKM_ECDSA_SHA256: ++ case (int)CKM_ECDSA_SHA384: ++ case (int)CKM_ECDSA_SHA512: ++ case (int)CKM_ECDSA_SHA3_224: ++ case (int)CKM_ECDSA_SHA3_256: ++ case (int)CKM_ECDSA_SHA3_384: ++ case (int)CKM_ECDSA_SHA3_512: + keyAlgorithm = "EC"; + type = T_UPDATE; + buffer = new byte[1]; +@@ -200,57 +231,18 @@ final class P11Signature extends SignatureSpi { + type = T_RAW; + buffer = new byte[RAW_ECDSA_MAX]; + } else { +- String digestAlg; +- if (algorithm.equals("SHA1withECDSA") || +- algorithm.equals("SHA1withECDSAinP1363Format")) { +- digestAlg = "SHA-1"; +- } else if (algorithm.equals("SHA224withECDSA") || +- algorithm.equals("SHA224withECDSAinP1363Format")) { +- digestAlg = "SHA-224"; +- } else if (algorithm.equals("SHA256withECDSA") || +- algorithm.equals("SHA256withECDSAinP1363Format")) { +- digestAlg = "SHA-256"; +- } else if (algorithm.equals("SHA384withECDSA") || +- algorithm.equals("SHA384withECDSAinP1363Format")) { +- digestAlg = "SHA-384"; +- } else if (algorithm.equals("SHA512withECDSA") || +- algorithm.equals("SHA512withECDSAinP1363Format")) { +- digestAlg = "SHA-512"; +- } else { +- throw new ProviderException(algorithm); +- } + type = T_DIGEST; +- md = MessageDigest.getInstance(digestAlg); ++ md = MessageDigest.getInstance ++ (getDigestEnum(algorithm).stdName()); + } + break; + case (int)CKM_RSA_PKCS: + case (int)CKM_RSA_X_509: + keyAlgorithm = "RSA"; + type = T_DIGEST; +- if (algorithm.equals("MD5withRSA")) { +- md = MessageDigest.getInstance("MD5"); +- digestOID = AlgorithmId.MD5_oid; +- } else if (algorithm.equals("SHA1withRSA")) { +- md = MessageDigest.getInstance("SHA-1"); +- digestOID = AlgorithmId.SHA_oid; +- } else if (algorithm.equals("MD2withRSA")) { +- md = MessageDigest.getInstance("MD2"); +- digestOID = AlgorithmId.MD2_oid; +- } else if (algorithm.equals("SHA224withRSA")) { +- md = MessageDigest.getInstance("SHA-224"); +- digestOID = AlgorithmId.SHA224_oid; +- } else if (algorithm.equals("SHA256withRSA")) { +- md = MessageDigest.getInstance("SHA-256"); +- digestOID = AlgorithmId.SHA256_oid; +- } else if (algorithm.equals("SHA384withRSA")) { +- md = MessageDigest.getInstance("SHA-384"); +- digestOID = AlgorithmId.SHA384_oid; +- } else if (algorithm.equals("SHA512withRSA")) { +- md = MessageDigest.getInstance("SHA-512"); +- digestOID = AlgorithmId.SHA512_oid; +- } else { +- throw new ProviderException("Unknown signature: " + algorithm); +- } ++ KnownOIDs digestAlg = getDigestEnum(algorithm); ++ md = MessageDigest.getInstance(digestAlg.stdName()); ++ digestOID = ObjectIdentifier.of(digestAlg); + break; + default: + throw new ProviderException("Unknown mechanism: " + mechanism); +@@ -304,8 +296,8 @@ final class P11Signature extends SignatureSpi { + } + } else { // M_VERIFY + byte[] signature; +- if (keyAlgorithm.equals("DSA")) { +- signature = new byte[40]; ++ if (mechanism == CKM_DSA) { ++ signature = new byte[64]; // assume N = 256 + } else { + signature = new byte[(p11Key.length() + 7) >> 3]; + } +@@ -449,13 +441,17 @@ final class P11Signature extends SignatureSpi { + encodedLength = 34; + } else if (algorithm.equals("SHA1withRSA")) { + encodedLength = 35; +- } else if (algorithm.equals("SHA224withRSA")) { ++ } else if (algorithm.equals("SHA224withRSA") || ++ algorithm.equals("SHA3-224withRSA")) { + encodedLength = 47; +- } else if (algorithm.equals("SHA256withRSA")) { ++ } else if (algorithm.equals("SHA256withRSA") || ++ algorithm.equals("SHA3-256withRSA")) { + encodedLength = 51; +- } else if (algorithm.equals("SHA384withRSA")) { ++ } else if (algorithm.equals("SHA384withRSA") || ++ algorithm.equals("SHA3-384withRSA")) { + encodedLength = 67; +- } else if (algorithm.equals("SHA512withRSA")) { ++ } else if (algorithm.equals("SHA512withRSA") || ++ algorithm.equals("SHA3-512withRSA")) { + encodedLength = 83; + } else { + throw new ProviderException("Unknown signature algo: " + algorithm); +@@ -631,8 +627,7 @@ final class P11Signature extends SignatureSpi { + try { + byte[] signature; + if (type == T_UPDATE) { +- int len = keyAlgorithm.equals("DSA") ? 40 : 0; +- signature = token.p11.C_SignFinal(session.id(), len); ++ signature = token.p11.C_SignFinal(session.id(), 0); + } else { + byte[] digest; + if (type == T_DIGEST) { +@@ -781,6 +776,23 @@ final class P11Signature extends SignatureSpi { + } + } + ++ private static KnownOIDs getDigestEnum(String algorithm) ++ throws NoSuchAlgorithmException { ++ try { ++ String digAlg = SignatureUtil.extractDigestAlgFromDwithE(algorithm); ++ KnownOIDs k = KnownOIDs.findMatch(digAlg); ++ if (k == null) { ++ throw new NoSuchAlgorithmException ++ ("Unsupported digest algorithm: " + digAlg); ++ } ++ return k; ++ } catch (IllegalArgumentException iae) { ++ // should never happen ++ throw new NoSuchAlgorithmException("Unknown signature: " + ++ algorithm, iae); ++ } ++ } ++ + // private static byte[] decodeSignature(byte[] signature) throws IOException { + // return RSASignature.decodeSignature(digestOID, signature); + // } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index cf7cd19b689..7a8bcffb92c 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider { + d(MD, "SHA-512/256", P11Digest, + s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"), + m(CKM_SHA512_256)); ++ d(MD, "SHA3-224", P11Digest, ++ s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"), ++ m(CKM_SHA3_224)); ++ d(MD, "SHA3-256", P11Digest, ++ s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"), ++ m(CKM_SHA3_256)); ++ d(MD, "SHA3-384", P11Digest, ++ s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"), ++ m(CKM_SHA3_384)); ++ d(MD, "SHA3-512", P11Digest, ++ s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"), ++ m(CKM_SHA3_512)); + + d(MAC, "HmacMD5", P11MAC, + m(CKM_MD5_HMAC)); +@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider { + d(MAC, "HmacSHA512/256", P11MAC, + s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"), + m(CKM_SHA512_256_HMAC)); +- ++ d(MAC, "HmacSHA3-224", P11MAC, ++ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"), ++ m(CKM_SHA3_224_HMAC)); ++ d(MAC, "HmacSHA3-256", P11MAC, ++ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"), ++ m(CKM_SHA3_256_HMAC)); ++ d(MAC, "HmacSHA3-384", P11MAC, ++ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"), ++ m(CKM_SHA3_384_HMAC)); ++ d(MAC, "HmacSHA3-512", P11MAC, ++ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"), ++ m(CKM_SHA3_512_HMAC)); + d(MAC, "SslMacMD5", P11MAC, + m(CKM_SSL3_MD5_MAC)); + d(MAC, "SslMacSHA1", P11MAC, +@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_BLOWFISH_KEY_GEN)); + d(KG, "ChaCha20", P11KeyGenerator, + m(CKM_CHACHA20_KEY_GEN)); ++ d(KG, "HmacMD5", P11KeyGenerator, // 1.3.6.1.5.5.8.1.1 ++ m(CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA1", P11KeyGenerator, ++ s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"), ++ m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA224", P11KeyGenerator, ++ s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), ++ m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA256", P11KeyGenerator, ++ s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"), ++ m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA384", P11KeyGenerator, ++ s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"), ++ m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA512", P11KeyGenerator, ++ s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"), ++ m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA512/224", P11KeyGenerator, ++ s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"), ++ m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA512/256", P11KeyGenerator, ++ s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"), ++ m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA3-224", P11KeyGenerator, ++ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"), ++ m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA3-256", P11KeyGenerator, ++ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"), ++ m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA3-384", P11KeyGenerator, ++ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"), ++ m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); ++ d(KG, "HmacSHA3-512", P11KeyGenerator, ++ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"), ++ m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); + + // register (Secret)KeyFactories if there are any mechanisms + // for a particular algorithm that we support +@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider { + d(SIG, "SHA512withDSA", P11Signature, + s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"), + m(CKM_DSA_SHA512)); ++ d(SIG, "SHA3-224withDSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"), ++ m(CKM_DSA_SHA3_224)); ++ d(SIG, "SHA3-256withDSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"), ++ m(CKM_DSA_SHA3_256)); ++ d(SIG, "SHA3-384withDSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"), ++ m(CKM_DSA_SHA3_384)); ++ d(SIG, "SHA3-512withDSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"), ++ m(CKM_DSA_SHA3_512)); + d(SIG, "RawDSAinP1363Format", P11Signature, + s("NONEwithDSAinP1363Format"), + m(CKM_DSA)); + d(SIG, "DSAinP1363Format", P11Signature, + s("SHA1withDSAinP1363Format"), + m(CKM_DSA_SHA1, CKM_DSA)); +- ++ d(SIG, "SHA224withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA224)); ++ d(SIG, "SHA256withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA256)); ++ d(SIG, "SHA384withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA384)); ++ d(SIG, "SHA512withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA512)); ++ d(SIG, "SHA3-224withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA3_224)); ++ d(SIG, "SHA3-256withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA3_256)); ++ d(SIG, "SHA3-384withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA3_384)); ++ d(SIG, "SHA3-512withDSAinP1363Format", P11Signature, ++ m(CKM_DSA_SHA3_512)); + d(SIG, "NONEwithECDSA", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA1withECDSA", P11Signature, +@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_ECDSA_SHA1, CKM_ECDSA)); + d(SIG, "SHA224withECDSA", P11Signature, + s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA224, CKM_ECDSA)); + d(SIG, "SHA256withECDSA", P11Signature, + s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"), +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA256, CKM_ECDSA)); + d(SIG, "SHA384withECDSA", P11Signature, + s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"), +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA384, CKM_ECDSA)); + d(SIG, "SHA512withECDSA", P11Signature, + s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA512, CKM_ECDSA)); ++ d(SIG, "SHA3-224withECDSA", P11Signature, ++ s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"), ++ m(CKM_ECDSA_SHA3_224, CKM_ECDSA)); ++ d(SIG, "SHA3-256withECDSA", P11Signature, ++ s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"), ++ m(CKM_ECDSA_SHA3_256, CKM_ECDSA)); ++ d(SIG, "SHA3-384withECDSA", P11Signature, ++ s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"), ++ m(CKM_ECDSA_SHA3_384, CKM_ECDSA)); ++ d(SIG, "SHA3-512withECDSA", P11Signature, ++ s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"), ++ m(CKM_ECDSA_SHA3_512, CKM_ECDSA)); + d(SIG, "NONEwithECDSAinP1363Format", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA1withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA_SHA1, CKM_ECDSA)); + d(SIG, "SHA224withECDSAinP1363Format", P11Signature, +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA224, CKM_ECDSA)); + d(SIG, "SHA256withECDSAinP1363Format", P11Signature, +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA256, CKM_ECDSA)); + d(SIG, "SHA384withECDSAinP1363Format", P11Signature, +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA384, CKM_ECDSA)); + d(SIG, "SHA512withECDSAinP1363Format", P11Signature, +- m(CKM_ECDSA)); ++ m(CKM_ECDSA_SHA512, CKM_ECDSA)); ++ d(SIG, "SHA3-224withECDSAinP1363Format", P11Signature, ++ m(CKM_ECDSA_SHA3_224, CKM_ECDSA)); ++ d(SIG, "SHA3-256withECDSAinP1363Format", P11Signature, ++ m(CKM_ECDSA_SHA3_256, CKM_ECDSA)); ++ d(SIG, "SHA3-384withECDSAinP1363Format", P11Signature, ++ m(CKM_ECDSA_SHA3_384, CKM_ECDSA)); ++ d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature, ++ m(CKM_ECDSA_SHA3_512, CKM_ECDSA)); ++ + d(SIG, "MD2withRSA", P11Signature, + s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"), + m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); +@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider { + d(SIG, "SHA512withRSA", P11Signature, + s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), + m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); ++ d(SIG, "SHA3-224withRSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"), ++ m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); ++ d(SIG, "SHA3-256withRSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"), ++ m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); ++ d(SIG, "SHA3-384withRSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"), ++ m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); ++ d(SIG, "SHA3-512withRSA", P11Signature, ++ s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"), ++ m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "RSASSA-PSS", P11PSSSignature, + s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"), + m(CKM_RSA_PKCS_PSS)); +@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA384_RSA_PKCS_PSS)); + d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature, + m(CKM_SHA512_RSA_PKCS_PSS)); ++ d(SIG, "SHA3-224withRSASSA-PSS", P11PSSSignature, ++ m(CKM_SHA3_224_RSA_PKCS_PSS)); ++ d(SIG, "SHA3-256withRSASSA-PSS", P11PSSSignature, ++ m(CKM_SHA3_256_RSA_PKCS_PSS)); ++ d(SIG, "SHA3-384withRSASSA-PSS", P11PSSSignature, ++ m(CKM_SHA3_384_RSA_PKCS_PSS)); ++ d(SIG, "SHA3-512withRSASSA-PSS", P11PSSSignature, ++ m(CKM_SHA3_512_RSA_PKCS_PSS)); + + d(KG, "SunTlsRsaPremasterSecret", + "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java +index e077943bbc2..cb04b95304d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -57,7 +57,12 @@ public class CK_RSA_PKCS_PSS_PARAMS { + throw new ProviderException("Only MGF1 is supported"); + } + // no dash in PKCS#11 mechanism names +- this.mgf = Functions.getMGFId("CKG_MGF1_" + mgfHash.replaceFirst("-", "")); ++ if (mgfHash.startsWith("SHA3-")) { ++ mgfHash = mgfHash.replaceFirst("-", "_"); ++ } else { ++ mgfHash = mgfHash.replaceFirst("-", ""); ++ } ++ this.mgf = Functions.getMGFId("CKG_MGF1_" + mgfHash); + this.sLen = sLen; + } + +diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java +new file mode 100644 +index 00000000000..d6707028d96 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java +@@ -0,0 +1,84 @@ ++/* ++ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ++ * @test ++ * @bug 8242332 ++ * @summary Check that PKCS11 Hamc KeyGenerator picks appropriate default size ++ * @library /test/lib .. ++ * @modules jdk.crypto.cryptoki ++ * @run main/othervm HmacDefKeySizeTest ++ * @run main/othervm HmacDefKeySizeTest sm ++ */ ++ ++import java.security.InvalidKeyException; ++import java.security.NoSuchAlgorithmException; ++import java.security.NoSuchProviderException; ++import java.security.Provider; ++import java.util.List; ++import javax.crypto.KeyGenerator; ++import javax.crypto.SecretKey; ++ ++public class HmacDefKeySizeTest extends PKCS11Test { ++ ++ /** ++ * Request a KeyGenerator object from PKCS11 provider for Hmac algorithm, ++ * and generate the SecretKey. ++ * ++ * @param args the command line arguments ++ */ ++ public static void main(String[] args) throws Exception { ++ main(new HmacDefKeySizeTest(), args); ++ } ++ ++ @Override ++ public void main(Provider p) { ++ List algorithms = getSupportedAlgorithms("KeyGenerator", ++ "Hmac", p); ++ boolean success = true; ++ ++ for (String alg : algorithms) { ++ System.out.println("Testing " + alg); ++ try { ++ KeyGenerator kg = KeyGenerator.getInstance(alg, p); ++ SecretKey k1 = kg.generateKey(); ++ int keysize = k1.getEncoded().length << 3; ++ System.out.println("=> default key size = " + keysize); ++ kg.init(keysize); ++ SecretKey k2 = kg.generateKey(); ++ if ((k2.getEncoded().length << 3) != keysize) { ++ success = false; ++ System.out.println("keysize check failed"); ++ } ++ } catch (Exception e) { ++ System.out.println("Unexpected exception: " + e); ++ e.printStackTrace(); ++ success = false; ++ } ++ } ++ ++ if (!success) { ++ throw new RuntimeException("One or more tests failed"); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java +index b61d10beece..78b7d857e8e 100644 +--- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java ++++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 4917233 6461727 6490213 6720456 ++ * @bug 4917233 6461727 6490213 6720456 8242332 + * @summary test the KeyGenerator + * @author Andreas Sterbenz + * @library /test/lib .. +@@ -128,6 +128,18 @@ public class TestKeyGenerator extends PKCS11Test { + test("ARCFOUR", 40, p, TestResult.PASS); + test("ARCFOUR", 128, p, TestResult.PASS); + ++ String[] HMAC_ALGS = { ++ "HmacSHA1", "HmacSHA224", "HmacSHA256", "HmacSHA384", "HmacSHA512", ++ "HmacSHA512/224", "HmacSHA512/256", "HmacSHA3-224", "HmacSHA3-256", ++ "HmacSHA3-384", "HmacSHA3-512", ++ }; ++ ++ for (String hmacAlg : HMAC_ALGS) { ++ test(hmacAlg, 0, p, TestResult.FAIL); ++ test(hmacAlg, 128, p, TestResult.PASS); ++ test(hmacAlg, 224, p, TestResult.PASS); ++ } ++ + if (p.getName().equals("SunPKCS11-Solaris")) { + test("ARCFOUR", 1024, p, TestResult.TBD); + } else if (p.getName().equals("SunPKCS11-NSS")) { +diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java +index 59af327c1f2..64c42a6dd06 100644 +--- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java ++++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 8048603 ++ * @bug 8048603 8242332 + * @summary Check if doFinal and update operation result in same Mac + * @author Yu-Ching Valerie Peng, Bill Situ, Alexander Fomin + * @library /test/lib .. +@@ -40,13 +40,15 @@ import java.security.Provider; + import java.security.SecureRandom; + import java.util.List; + import javax.crypto.Mac; ++import javax.crypto.KeyGenerator; ++import javax.crypto.SecretKey; + import javax.crypto.spec.SecretKeySpec; + + public class MacSameTest extends PKCS11Test { + + private static final int MESSAGE_SIZE = 25; + private static final int OFFSET = 5; +- private static final int KEY_SIZE = 70; ++ private static final int KEY_SIZE = 128; + + /** + * Initialize a message, instantiate a Mac object, +@@ -67,9 +69,30 @@ public class MacSameTest extends PKCS11Test { + public void main(Provider p) { + List algorithms = getSupportedAlgorithms("Mac", "Hmac", p); + boolean success = true; ++ SecureRandom srdm = new SecureRandom(); ++ + for (String alg : algorithms) { ++ // first try w/ java secret key object ++ byte[] keyVal = new byte[KEY_SIZE]; ++ srdm.nextBytes(keyVal); ++ SecretKey skey = new SecretKeySpec(keyVal, alg); ++ ++ try { ++ doTest(alg, skey, p); ++ } catch (Exception e) { ++ System.out.println("Unexpected exception: " + e); ++ e.printStackTrace(); ++ success = false; ++ } ++ + try { +- doTest(alg, p); ++ KeyGenerator kg = KeyGenerator.getInstance(alg, p); ++ kg.init(KEY_SIZE); ++ skey = kg.generateKey(); ++ doTest(alg, skey, p); ++ } catch (NoSuchAlgorithmException nsae) { ++ System.out.println("Skip test using native key for " + alg); ++ continue; + } catch (Exception e) { + System.out.println("Unexpected exception: " + e); + e.printStackTrace(); +@@ -82,7 +105,7 @@ public class MacSameTest extends PKCS11Test { + } + } + +- private void doTest(String algo, Provider provider) ++ private void doTest(String algo, SecretKey key, Provider provider) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException { + System.out.println("Test " + algo); +@@ -108,12 +131,7 @@ public class MacSameTest extends PKCS11Test { + byte[] tail = new byte[plain.length - OFFSET]; + System.arraycopy(plain, OFFSET, tail, 0, tail.length); + +- SecureRandom srdm = new SecureRandom(); +- byte[] keyVal = new byte[KEY_SIZE]; +- srdm.nextBytes(keyVal); +- SecretKeySpec keySpec = new SecretKeySpec(keyVal, "HMAC"); +- +- mac.init(keySpec); ++ mac.init(key); + byte[] result1 = mac.doFinal(plain); + + mac.reset(); +diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java +index 5cad8859840..7e045232e3a 100644 +--- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java ++++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 4856966 ++ * @bug 4856966 8242332 + * @summary + * @author Andreas Sterbenz + * @library /test/lib .. +@@ -35,6 +35,7 @@ + + import java.security.Provider; + import java.util.Random; ++import java.util.List; + import javax.crypto.Mac; + import javax.crypto.spec.SecretKeySpec; + +@@ -46,32 +47,49 @@ public class ReinitMac extends PKCS11Test { + + @Override + public void main(Provider p) throws Exception { +- if (p.getService("Mac", "HmacMD5") == null) { +- System.out.println(p + " does not support HmacMD5, skipping"); +- return; +- } ++ List algorithms = getSupportedAlgorithms("Mac", "Hmac", p); + Random random = new Random(); +- byte[] data1 = new byte[10 * 1024]; +- random.nextBytes(data1); +- byte[] keyData = new byte[16]; +- random.nextBytes(keyData); +- SecretKeySpec key = new SecretKeySpec(keyData, "Hmac"); +- Mac mac = Mac.getInstance("HmacMD5", p); ++ byte[] data = new byte[10 * 1024]; ++ random.nextBytes(data); ++ byte[] keyVal = new byte[16]; ++ random.nextBytes(keyVal); ++ ++ boolean success = true; ++ for (String alg : algorithms) { ++ try { ++ doTest(alg, p, keyVal, data); ++ } catch (Exception e) { ++ System.out.println("Unexpected exception: " + e); ++ e.printStackTrace(); ++ success = false; ++ } ++ } ++ ++ if (!success) { ++ throw new RuntimeException("Test failed"); ++ } else { ++ System.out.println("All tests passed"); ++ } ++ } ++ ++ private void doTest(String alg, Provider p, byte[] keyVal, byte[] data) ++ throws Exception { ++ System.out.println("Testing " + alg); ++ SecretKeySpec key = new SecretKeySpec(keyVal, alg); ++ Mac mac = Mac.getInstance(alg, p); + mac.init(key); + mac.init(key); +- mac.update(data1); ++ mac.update(data); + mac.init(key); + mac.doFinal(); + mac.doFinal(); +- mac.update(data1); ++ mac.update(data); + mac.doFinal(); + mac.reset(); + mac.reset(); + mac.init(key); + mac.reset(); +- mac.update(data1); ++ mac.update(data); + mac.reset(); +- +- System.out.println("All tests passed"); + } + } +diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java +index 7ced00630cc..a7a72e8ea3d 100644 +--- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java ++++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 4856966 8080462 ++ * @bug 4856966 8080462 8242332 + * @summary Test the MessageDigest.update(ByteBuffer) method + * @author Andreas Sterbenz + * @library /test/lib .. +@@ -36,13 +36,10 @@ import java.nio.ByteBuffer; + import java.security.*; + import java.util.Arrays; + import java.util.Random; ++import java.util.List; + + public class ByteBuffers extends PKCS11Test { + +- static final String[] ALGS = { +- "SHA-224", "SHA-256", "SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256" +- }; +- + private static Random random = new Random(); + + public static void main(String[] args) throws Exception { +@@ -51,6 +48,9 @@ public class ByteBuffers extends PKCS11Test { + + @Override + public void main(Provider p) throws Exception { ++ List ALGS = getSupportedAlgorithms("MessageDigest", ++ "SHA", p); ++ + int n = 10 * 1024; + byte[] t = new byte[n]; + random.nextBytes(t); +@@ -62,13 +62,7 @@ public class ByteBuffers extends PKCS11Test { + + private void runTest(Provider p, String alg, byte[] data) throws Exception { + System.out.println("Test against " + p.getName() + " and " + alg); +- MessageDigest md; +- try { +- md = MessageDigest.getInstance(alg, p); +- } catch (NoSuchAlgorithmException e) { +- System.out.println("Skip " + alg + " due to no support"); +- return; +- } ++ MessageDigest md = MessageDigest.getInstance(alg, p); + + byte[] d1 = md.digest(data); + +diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java +index ea7909bc397..268f698276b 100644 +--- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java ++++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 4856966 ++ * @bug 4856966 8242332 + * @summary + * @author Andreas Sterbenz + * @library /test/lib .. +@@ -37,6 +37,7 @@ import java.security.MessageDigest; + import java.security.Provider; + import java.util.Arrays; + import java.util.Random; ++import java.util.List; + + public class ReinitDigest extends PKCS11Test { + +@@ -46,19 +47,37 @@ public class ReinitDigest extends PKCS11Test { + + @Override + public void main(Provider p) throws Exception { +- if (p.getService("MessageDigest", "MD5") == null) { +- System.out.println("Provider does not support MD5, skipping"); +- return; +- } ++ List ALGS = getSupportedAlgorithms("MessageDigest", ++ "SHA", p); + Random r = new Random(); + byte[] data1 = new byte[10 * 1024]; + byte[] data2 = new byte[10 * 1024]; + r.nextBytes(data1); + r.nextBytes(data2); +- MessageDigest md; +- md = MessageDigest.getInstance("MD5", "SUN"); ++ ++ boolean success = true; ++ for (String alg : ALGS) { ++ try { ++ doTest(alg, p, data1, data2); ++ } catch (Exception e) { ++ System.out.println("Unexpected exception: " + e); ++ e.printStackTrace(); ++ success = false; ++ } ++ } ++ ++ if (!success) { ++ throw new RuntimeException("Test failed"); ++ } ++ System.out.println("All tests passed"); ++ } ++ ++ private void doTest(String alg, Provider p, byte[] data1, byte[] data2) ++ throws Exception { ++ System.out.println("Testing " + alg); ++ MessageDigest md = MessageDigest.getInstance(alg, "SUN"); + byte[] d1 = md.digest(data1); +- md = MessageDigest.getInstance("MD5", p); ++ md = MessageDigest.getInstance(alg, p); + byte[] d2 = md.digest(data1); + check(d1, d2); + byte[] d3 = md.digest(data1); +@@ -68,7 +87,6 @@ public class ReinitDigest extends PKCS11Test { + md.reset(); + byte[] d4 = md.digest(data1); + check(d1, d4); +- System.out.println("All tests passed"); + } + + private static void check(byte[] d1, byte[] d2) throws Exception { +diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java +index b931c8564b2..ace601c7233 100644 +--- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java ++++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 6414899 ++ * @bug 6414899 8242332 + * @summary Ensure the cloning functionality works. + * @author Valerie Peng + * @library /test/lib .. +@@ -37,13 +37,10 @@ import java.security.MessageDigest; + import java.security.Provider; + import java.util.Arrays; + import java.util.Random; ++import java.util.List; + + public class TestCloning extends PKCS11Test { + +- private static final String[] ALGOS = { +- "MD2", "MD5", "SHA1", "SHA-224", "SHA-256", "SHA-384", "SHA-512" +- }; +- + public static void main(String[] args) throws Exception { + main(new TestCloning(), args); + } +@@ -51,44 +48,28 @@ public class TestCloning extends PKCS11Test { + private static final byte[] data1 = new byte[10]; + private static final byte[] data2 = new byte[10*1024]; + +- + @Override + public void main(Provider p) throws Exception { ++ List ALGS = getSupportedAlgorithms("MessageDigest", "SHA", p); + Random r = new Random(); + byte[] data1 = new byte[10]; + byte[] data2 = new byte[2*1024]; + r.nextBytes(data1); + r.nextBytes(data2); + System.out.println("Testing against provider " + p.getName()); +- for (int i = 0; i < ALGOS.length; i++) { +- if (p.getService("MessageDigest", ALGOS[i]) == null) { +- System.out.println(ALGOS[i] + " is not supported, skipping"); +- continue; +- } else { +- System.out.println("Testing " + ALGOS[i] + " of " + p.getName()); +- MessageDigest md = MessageDigest.getInstance(ALGOS[i], p); +- try { +- md = testCloning(md, p); +- // repeat the test again after generating digest once +- for (int j = 0; j < 10; j++) { +- md = testCloning(md, p); +- } +- } catch (Exception ex) { +- if (ALGOS[i] == "MD2" && +- p.getName().equalsIgnoreCase("SunPKCS11-NSS")) { +- // known bug in NSS; ignore for now +- System.out.println("Ignore Known bug in MD2 of NSS"); +- continue; +- } +- throw ex; +- } ++ for (String alg : ALGS) { ++ System.out.println("Testing " + alg); ++ MessageDigest md = MessageDigest.getInstance(alg, p); ++ md = testCloning(md, p); ++ // repeat the test again after generating digest once ++ for (int j = 0; j < 10; j++) { ++ md = testCloning(md, p); + } + } + } + + private static MessageDigest testCloning(MessageDigest mdObj, Provider p) +- throws Exception { +- ++ throws Exception { + // copy#0: clone at state BLANK w/o any data + MessageDigest mdCopy0 = (MessageDigest) mdObj.clone(); + +diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java +index 26eeacffed9..f5de994779c 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java ++++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 4856966 ++ * @bug 4856966 8242332 + * @summary Test the Signature.update(ByteBuffer) method + * @author Andreas Sterbenz + * @library /test/lib .. +@@ -70,10 +70,10 @@ public class ByteBuffers extends PKCS11Test { + random.nextBytes(t); + + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p); +- kpg.initialize(512); ++ kpg.initialize(2048); + KeyPair kp = kpg.generateKeyPair(); + +- Signature sig = Signature.getInstance("MD5withRSA", p); ++ Signature sig = Signature.getInstance("SHA256withRSA", p); + sig.initSign(kp.getPrivate()); + sig.update(t); + byte[] signature = sig.sign(); +diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java +index ccd66599fb0..a2fa7294977 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java ++++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -25,7 +25,7 @@ import java.security.spec.*; + + /** + * @test +- * @bug 8080462 ++ * @bug 8080462 8242332 + * @summary Make sure old state is cleared when init is called again + * @library /test/lib .. + * @modules jdk.crypto.cryptoki +@@ -38,18 +38,22 @@ public class InitAgainPSS extends PKCS11Test { + + @Override + public void main(Provider p) throws Exception { ++ test("RSASSA-PSS", p); ++ } ++ ++ private void test(String sigAlg, Provider p) throws Exception { + Signature s1; + try { +- s1 = Signature.getInstance("RSASSA-PSS", p); ++ s1 = Signature.getInstance(sigAlg, p); + } catch (NoSuchAlgorithmException e) { +- System.out.println("Skip testing RSASSA-PSS" + ++ System.out.println("Skip testing " + sigAlg + + " due to no support"); + return; + } + + byte[] msg = "hello".getBytes(); + +- Signature s2 = Signature.getInstance("RSASSA-PSS", p); ++ Signature s2 = Signature.getInstance(sigAlg, p); + + PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1", + new MGF1ParameterSpec("SHA-256"), 32, +diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java +index 2e4fedbf1d5..f1c0492b5fc 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java ++++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -26,7 +26,7 @@ import java.security.spec.*; + + /** + * @test +- * @bug 8080462 8226651 ++ * @bug 8080462 8226651 8242332 + * @summary Ensure that PSS key and params check are implemented properly + * regardless of call sequence + * @library /test/lib .. +@@ -55,6 +55,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test { + " due to no support"); + return; + } ++ + // NOTE: key length >= (digest length + 2) in bytes + // otherwise, even salt length = 0 would not work + runTest(p, 1024, "SHA-256", "SHA-256"); +@@ -66,10 +67,30 @@ public class KeyAndParamCheckForPSS extends PKCS11Test { + runTest(p, 1040, "SHA-512", "SHA-256"); + runTest(p, 1040, "SHA-512", "SHA-384"); + runTest(p, 1040, "SHA-512", "SHA-512"); ++ runTest(p, 1024, "SHA3-256", "SHA3-256"); ++ runTest(p, 1024, "SHA3-256", "SHA3-384"); ++ runTest(p, 1024, "SHA3-256", "SHA3-512"); ++ runTest(p, 1024, "SHA3-384", "SHA3-256"); ++ runTest(p, 1024, "SHA3-384", "SHA3-384"); ++ runTest(p, 1024, "SHA3-384", "SHA3-512"); ++ runTest(p, 1040, "SHA3-512", "SHA3-256"); ++ runTest(p, 1040, "SHA3-512", "SHA3-384"); ++ runTest(p, 1040, "SHA3-512", "SHA3-512"); + } + + private void runTest(Provider p, int keySize, String hashAlg, + String mgfHashAlg) throws Exception { ++ ++ // skip further test if this provider does not support hashAlg or ++ // mgfHashAlg ++ try { ++ MessageDigest.getInstance(hashAlg, p); ++ MessageDigest.getInstance(mgfHashAlg, p); ++ } catch (NoSuchAlgorithmException nsae) { ++ System.out.println("No support for " + hashAlg + ", skip"); ++ return; ++ } ++ + System.out.println("Testing [" + keySize + " " + hashAlg + "]"); + + // create a key pair with the supplied size +@@ -95,6 +116,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test { + } catch (InvalidKeyException ike) { + System.out.println("test#1: got expected IKE"); + } ++ + sig.setParameter(paramsGood); + sig.initSign(priv); + System.out.println("test#1: pass"); +@@ -108,8 +130,10 @@ public class KeyAndParamCheckForPSS extends PKCS11Test { + } catch (InvalidKeyException ike) { + System.out.println("test#2: got expected IKE"); + } ++ + sig.setParameter(paramsGood); + sig.initVerify(pub); ++ + System.out.println("test#2: pass"); + + // test#3 - initSign, then setParameter +@@ -121,6 +145,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test { + } catch (InvalidAlgorithmParameterException iape) { + System.out.println("test#3: got expected IAPE"); + } ++ + sig.setParameter(paramsGood); + System.out.println("test#3: pass"); + +@@ -133,6 +158,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test { + } catch (InvalidAlgorithmParameterException iape) { + System.out.println("test#4: got expected IAPE"); + } ++ + sig.setParameter(paramsGood); + System.out.println("test#4: pass"); + } +diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java +index 42ca7fa203d..8c132ca7e4f 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java ++++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java +@@ -23,312 +23,13 @@ + + /* + * @test +- * @bug 4856966 ++ * @bug 4856966 8242332 + * @summary test that reinitializing Signatures works correctly + * @author Andreas Sterbenz + * @library /test/lib .. + * @key randomness + * @modules jdk.crypto.cryptoki + * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature +- * @run main ReinitSignature + */ + + import java.security.KeyPair; +@@ -363,11 +64,11 @@ public class ReinitSignature extends PKCS11Test { + } + + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p); +- kpg.initialize(512); ++ kpg.initialize(2048); + KeyPair kp = kpg.generateKeyPair(); + PrivateKey privateKey = kp.getPrivate(); + PublicKey publicKey = kp.getPublic(); +- Signature sig = Signature.getInstance("MD5withRSA", p); ++ Signature sig = Signature.getInstance("SHA256withRSA", p); + byte[] data = new byte[10 * 1024]; + new Random().nextBytes(data); + sig.initSign(privateKey); +diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java +index 3c3edb5aa6a..11147022771 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java ++++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -27,7 +27,7 @@ import java.security.interfaces.*; + + /* + * @test +- * @bug 8080462 8226651 ++ * @bug 8080462 8226651 8242332 + * @summary testing interoperability of PSS signatures of PKCS11 provider + * against SunRsaSign provider + * @library /test/lib .. +diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java +new file mode 100644 +index 00000000000..b8ea9863327 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java +@@ -0,0 +1,98 @@ ++/* ++ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.*; ++import java.security.spec.*; ++import java.security.interfaces.*; ++ ++/* ++ * @test ++ * @bug 8080462 8226651 8242332 ++ * @summary testing interoperability of PSS signatures of PKCS11 provider ++ * against SunRsaSign provider ++ * @library /test/lib .. ++ * @modules jdk.crypto.cryptoki ++ * @run main/othervm SigInteropPSS2 ++ */ ++public class SigInteropPSS2 extends PKCS11Test { ++ ++ private static final byte[] MSG = ++ "Interoperability test between SunRsaSign and SunPKCS11".getBytes(); ++ ++ private static final String[] DIGESTS = { ++ "SHA224", "SHA256", "SHA384", "SHA512", ++ "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512" ++ }; ++ ++ public static void main(String[] args) throws Exception { ++ main(new SigInteropPSS2(), args); ++ } ++ ++ @Override ++ public void main(Provider p) throws Exception { ++ ++ Signature sigPkcs11; ++ Signature sigSunRsaSign = ++ Signature.getInstance("RSASSA-PSS", "SunRsaSign"); ++ ++ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p); ++ kpg.initialize(3072); ++ KeyPair kp = kpg.generateKeyPair(); ++ ++ for (String digest : DIGESTS) { ++ try { ++ sigPkcs11 = Signature.getInstance(digest + "withRSASSA-PSS", p); ++ } catch (NoSuchAlgorithmException e) { ++ System.out.println("Skip testing " + digest + "withRSASSA-PSS" + ++ " due to no support"); ++ continue; ++ } ++ ++ runTest(sigPkcs11, sigSunRsaSign, kp); ++ } ++ System.out.println("Test passed"); ++ } ++ ++ static void runTest(Signature signer, Signature verifier, KeyPair kp) ++ throws Exception { ++ System.out.println("\tSign: " + signer.getProvider().getName()); ++ System.out.println("\tVerify: " + verifier.getProvider().getName()); ++ ++ signer.initSign(kp.getPrivate()); ++ signer.update(MSG); ++ byte[] sigBytes = signer.sign(); ++ ++ AlgorithmParameters signParams = signer.getParameters(); ++ verifier.setParameter(signParams.getParameterSpec ++ (PSSParameterSpec.class)); ++ verifier.initVerify(kp.getPublic()); ++ ++ verifier.update(MSG); ++ boolean isValid = verifier.verify(sigBytes); ++ if (isValid) { ++ System.out.println("\tPSS Signature verified"); ++ } else { ++ throw new RuntimeException("ERROR verifying PSS Signature"); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java +index 3a6dbe345e9..4c1f7284bbc 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java ++++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -27,7 +27,7 @@ import java.util.stream.IntStream; + + /** + * @test +- * @bug 8080462 8226651 ++ * @bug 8080462 8226651 8242332 + * @summary Generate a RSASSA-PSS signature and verify it using PKCS11 provider + * @library /test/lib .. + * @modules jdk.crypto.cryptoki +@@ -40,8 +40,10 @@ public class SignatureTestPSS extends PKCS11Test { + private static final String SIGALG = "RSASSA-PSS"; + + private static final int[] KEYSIZES = { 2048, 3072 }; +- private static final String[] DIGESTS = { "SHA-224", "SHA-256", +- "SHA-384" , "SHA-512" }; ++ private static final String[] DIGESTS = { ++ "SHA-224", "SHA-256", "SHA-384" , "SHA-512", ++ "SHA3-224", "SHA3-256", "SHA3-384" , "SHA3-512", ++ }; + private Provider prov; + + /** +@@ -115,7 +117,22 @@ public class SignatureTestPSS extends PKCS11Test { + throws NoSuchAlgorithmException, InvalidKeyException, + SignatureException, NoSuchProviderException, + InvalidAlgorithmParameterException { +- System.out.println("Testing against " + hash + " and MGF1_" + mgfHash); ++ ++ String testName = hash + " and MGF1_" + mgfHash; ++ // only test RSASSA-PSS signature against the supplied hash/mgfHash ++ // if they are supported; otherwise PKCS11 library will throw ++ // CKR_MECHANISM_PARAM_INVALID at Signature.initXXX calls ++ try { ++ MessageDigest md = MessageDigest.getInstance(hash, prov); ++ if (!hash.equalsIgnoreCase(mgfHash)) { ++ md = MessageDigest.getInstance(mgfHash, prov); ++ } ++ } catch (NoSuchAlgorithmException nsae) { ++ System.out.println("Skip testing " + hash + "/" + mgfHash); ++ return; ++ } ++ ++ System.out.println("Testing against " + testName); + Signature sig = Signature.getInstance(SIGALG, prov); + AlgorithmParameterSpec params = new PSSParameterSpec( + hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1); +diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java +new file mode 100644 +index 00000000000..516b17972e5 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java +@@ -0,0 +1,140 @@ ++/* ++ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++import java.security.*; ++import java.security.interfaces.*; ++import java.security.spec.*; ++import java.util.stream.IntStream; ++ ++/** ++ * @test ++ * @bug 8244154 8242332 ++ * @summary Generate a withRSASSA-PSS signature and verify it using ++ * PKCS11 provider ++ * @library /test/lib .. ++ * @modules jdk.crypto.cryptoki ++ * @run main SignatureTestPSS2 ++ */ ++public class SignatureTestPSS2 extends PKCS11Test { ++ ++ // PKCS11 does not support RSASSA-PSS keys yet ++ private static final String KEYALG = "RSA"; ++ private static final String[] SIGALGS = { ++ "SHA224withRSASSA-PSS", "SHA256withRSASSA-PSS", ++ "SHA384withRSASSA-PSS", "SHA512withRSASSA-PSS", ++ "SHA3-224withRSASSA-PSS", "SHA3-256withRSASSA-PSS", ++ "SHA3-384withRSASSA-PSS", "SHA3-512withRSASSA-PSS" ++ }; ++ ++ private static final int[] KEYSIZES = { 2048, 3072 }; ++ ++ /** ++ * How much times signature updated. ++ */ ++ private static final int UPDATE_TIMES = 2; ++ ++ public static void main(String[] args) throws Exception { ++ main(new SignatureTestPSS2(), args); ++ } ++ ++ @Override ++ public void main(Provider p) throws Exception { ++ for (String sa : SIGALGS) { ++ Signature sig; ++ try { ++ sig = Signature.getInstance(sa, p); ++ } catch (NoSuchAlgorithmException e) { ++ System.out.println("Skip testing " + sa + ++ " due to no support"); ++ return; ++ } ++ for (int i : KEYSIZES) { ++ runTest(sig, i); ++ } ++ } ++ } ++ ++ private static void runTest(Signature s, int keySize) throws Exception { ++ byte[] data = new byte[100]; ++ IntStream.range(0, data.length).forEach(j -> { ++ data[j] = (byte) j; ++ }); ++ System.out.println("[KEYSIZE = " + keySize + "]"); ++ ++ // create a key pair ++ KeyPair kpair = generateKeys(KEYALG, keySize, s.getProvider()); ++ test(s, kpair.getPrivate(), kpair.getPublic(), data); ++ } ++ ++ private static void test(Signature sig, PrivateKey privKey, ++ PublicKey pubKey, byte[] data) throws RuntimeException { ++ // For signature algorithm, create and verify a signature ++ try { ++ checkSignature(sig, privKey, pubKey, data); ++ } catch (NoSuchAlgorithmException | InvalidKeyException | ++ SignatureException | NoSuchProviderException ex) { ++ throw new RuntimeException(ex); ++ } catch (InvalidAlgorithmParameterException ex2) { ++ System.out.println("Skip test due to " + ex2); ++ } ++ } ++ ++ private static KeyPair generateKeys(String keyalg, int size, Provider p) ++ throws NoSuchAlgorithmException { ++ KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyalg, p); ++ kpg.initialize(size); ++ return kpg.generateKeyPair(); ++ } ++ ++ private static void checkSignature(Signature sig, PrivateKey priv, ++ PublicKey pub, byte[] data) throws NoSuchAlgorithmException, ++ InvalidKeyException, SignatureException, NoSuchProviderException, ++ InvalidAlgorithmParameterException { ++ System.out.println("Testing against " + sig.getAlgorithm()); ++ sig.initSign(priv); ++ for (int i = 0; i < UPDATE_TIMES; i++) { ++ sig.update(data); ++ } ++ byte[] signedData = sig.sign(); ++ ++ // Make sure signature verifies with original data ++ // do we need to call sig.setParameter(params) again? ++ sig.initVerify(pub); ++ for (int i = 0; i < UPDATE_TIMES; i++) { ++ sig.update(data); ++ } ++ if (!sig.verify(signedData)) { ++ throw new RuntimeException("Failed to verify signature"); ++ } ++ ++ // Make sure signature does NOT verify when the original data ++ // has changed ++ sig.initVerify(pub); ++ for (int i = 0; i < UPDATE_TIMES + 1; i++) { ++ sig.update(data); ++ } ++ ++ if (sig.verify(signedData)) { ++ throw new RuntimeException("Failed to detect bad signature"); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java +index 222f8a2a5ed..3161de6fc50 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java ++++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -22,7 +22,7 @@ + */ + /* + * @test +- * @bug 8080462 ++ * @bug 8080462 8242332 + * @library /test/lib .. + * @modules jdk.crypto.cryptoki + * @run main/othervm/timeout=250 TestDSA2 +@@ -40,8 +40,12 @@ public class TestDSA2 extends PKCS11Test { + private static final String[] SIG_ALGOS = { + "SHA224withDSA", + "SHA256withDSA", +- //"SHA384withDSA", +- //"SHA512withDSA", ++ "SHA3-224withDSA", ++ "SHA3-256withDSA", ++ "SHA384withDSA", ++ "SHA512withDSA", ++ "SHA3-384withDSA", ++ "SHA3-512withDSA", + }; + + private static final int KEYSIZE = 2048; +@@ -59,25 +63,33 @@ public class TestDSA2 extends PKCS11Test { + kp = kpg.generateKeyPair(); + } catch (Exception ex) { + System.out.println("Skip due to no 2048-bit DSA support: " + ex); +- ex.printStackTrace(); + return; + } + ++ boolean allPass = true; + for (String sigAlg : SIG_ALGOS) { +- test(sigAlg, kp, p); ++ System.out.println("Testing " + sigAlg); ++ try { ++ Signature sig = Signature.getInstance(sigAlg, p); ++ test(sig, kp, p); ++ } catch (NoSuchAlgorithmException nsae) { ++ System.out.println("=>Skip due to no support"); ++ } catch (Exception ex) { ++ System.out.println("Unexpected exception when testing " + ++ sigAlg); ++ ex.printStackTrace(); ++ allPass = false; ++ } ++ } ++ if (allPass) { ++ System.out.println("Tests Passed"); ++ } else { ++ throw new RuntimeException("One or more tests failed"); + } + } + +- private static void test(String sigAlg, KeyPair kp, Provider p) ++ private static void test(Signature sig, KeyPair kp, Provider p) + throws Exception { +- Signature sig; +- try { +- sig = Signature.getInstance(sigAlg, p); +- } catch (Exception ex) { +- System.out.println("Skip due to no support: " + sigAlg); +- ex.printStackTrace(); +- return; +- } + + byte[] data = "anything will do".getBytes(); + +@@ -85,9 +97,10 @@ public class TestDSA2 extends PKCS11Test { + sig.update(data); + byte[] signature = sig.sign(); + +- sig.initVerify(kp.getPublic()); +- sig.update(data); +- boolean verifies = sig.verify(signature); +- System.out.println(sigAlg + ": Passed"); ++ Signature sigV = Signature.getInstance(sig.getAlgorithm() , p); ++ sigV.initVerify(kp.getPublic()); ++ sigV.update(data); ++ boolean verifies = sigV.verify(signature); ++ System.out.println("=> Passed"); + } + } +diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java +index f469ca17b65..7e5a012a5ec 100644 +--- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java ++++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java +@@ -22,8 +22,8 @@ + */ + + /* +- * @test %W% %E% +- * @bug 6695485 ++ * @test ++ * @bug 6695485 8242332 + * @summary Make sure initSign/initVerify() check RSA key lengths + * @author Yu-Ching Valerie Peng + * @library /test/lib .. +@@ -65,9 +65,14 @@ public class TestRSAKeyLength extends PKCS11Test { + return; + } + +- boolean isValidKeyLength[] = { true, true, true, false, false }; +- String algos[] = { "SHA1withRSA", "SHA224withRSA", "SHA256withRSA", +- "SHA384withRSA", "SHA512withRSA" }; ++ boolean isValidKeyLength[] = { ++ true, true, true, false, false, true, true, false, false ++ }; ++ String algos[] = { ++ "SHA1withRSA", "SHA224withRSA", "SHA256withRSA", ++ "SHA384withRSA", "SHA512withRSA", "SHA3-224withRSA", ++ "SHA3-256withRSA", "SHA3-384withRSA", "SHA3-512withRSA" ++ }; + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p); + kpg.initialize(512); + KeyPair kp = kpg.generateKeyPair(); +diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt +index 49778ea954c..576b1dc4d69 100644 +--- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt ++++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt +@@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib} + + nssArgs = "configdir='${pkcs11test.nss.db}' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly" + +-# HMAC_SHA256/384/512 broken until NSS 3.10.2 +-# see https://bugzilla.mozilla.org/show_bug.cgi?id=291858 + disabledMechanisms = { +- CKM_SHA256_HMAC +- CKM_SHA384_HMAC +- CKM_SHA512_HMAC ++ CKM_DSA_SHA224 ++ CKM_DSA_SHA256 ++ CKM_DSA_SHA384 ++ CKM_DSA_SHA512 ++ CKM_DSA_SHA3_224 ++ CKM_DSA_SHA3_256 ++ CKM_DSA_SHA3_384 ++ CKM_DSA_SHA3_512 ++ CKM_ECDSA_SHA224 ++ CKM_ECDSA_SHA256 ++ CKM_ECDSA_SHA384 ++ CKM_ECDSA_SHA512 ++ CKM_ECDSA_SHA3_224 ++ CKM_ECDSA_SHA3_256 ++ CKM_ECDSA_SHA3_384 ++ CKM_ECDSA_SHA3_512 + } + + attributes = compatibility diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch deleted file mode 100644 index 53026ad..0000000 --- a/rh1648644-java_access_bridge_privileged_security.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -304,6 +304,8 @@ - # - package.access=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # List of comma-separated packages that start with or equal this string -@@ -316,6 +318,8 @@ - # - package.definition=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # Determines whether this properties file can be appended to diff --git a/sources b/sources index 39bf292..19396c9 100644 --- a/sources +++ b/sources @@ -1,2 +1,32 @@ -SHA512 (openjdk-jdk11u-jdk-11.0.18+10-4curve.tar.xz) = c946ec14e1fb4ec40269e0928734368a6d68712549ae450e346d53ab1ae553a280402c6c7e346c859a3e65ec83fc1adefbad733fe8d5e89f0b6d43314558a0b5 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 +SHA512 (openjdk-jdk11u-jdk-11.0.18+10-4curve.tar.xz) = c946ec14e1fb4ec40269e0928734368a6d68712549ae450e346d53ab1ae553a280402c6c7e346c859a3e65ec83fc1adefbad733fe8d5e89f0b6d43314558a0b5 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.docs.el.aarch64.tar.xz) = e4cd47dc2c1891e30b56cc6595509fc1fe759dbe5a56945de1968279239d05e243f247a59c628aa10920c9661ec28520f0cf4f38329a71fadf1db57811f762c3 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.docs.el.ppc64le.tar.xz) = ce86829210e6fe90f63fb4f85b2c39b4cdc6abca12261199c14af3f1ec5a3bc17bcaec85b650664617d44c1821840f45f75e7c49bc95364927ad849d82ad6b12 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.docs.el.s390x.tar.xz) = c479c486e1e69d0d810dd71c3d501ee5b121da467963ff3f554be591b5075a90d39963453e16f6e72b918ddf7a593048dc5c03e7dd7d23ac62cc159cade8f2c7 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.docs.el.x86_64.tar.xz) = 731b0e0d8e2548b8d40731f95ca83d0f45a2c22188788292a6acd2779413248452672578b1c36c5ee160e3d76284075c97d50a03b76be3f6112df2d112e6b0b4 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.aarch64.tar.xz) = e553077b210646305765646d364a8857d7fae8cf822f88f53c358ccba85dbc7f89f240f3e93a81a4bf18d16135ee5745a2daec6a65265dfaaa1916644214517c +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.ppc64le.tar.xz) = 66ee158f1012449ccdbd28472f94b9453d4f4ae4a76d9da67df460569820a2fc4affeacac2ff20aa323b65c0fe595fbd4d92d294d5bb946b7364cf3e661ee478 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.jdk.el.x86_64.tar.xz) = 518d7ca35f952cada6d4bea198583de9e875a49d89f8879eed5b997e70617428647b9963e61fb1fbd0d6576404bfcd7f209347339143887f7011a0d548b1d2cc +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.aarch64.tar.xz) = cedd2b0576f119184b350cb720935fa81ffed76caac8bab6df8eda5ea3a74e2828abaf6b3a0f8c61757d6eaf1cf88a160cf71c54c3ff121fc8e60881d0aba532 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.ppc64le.tar.xz) = 1d26146716ece20981b5edeedb210ee61fbe14924e36fefdde94faaabe07e7ff8ae541aecc4c7fd7e027fa9b3d56faa2e551392ba071c535123fdd81ded5fb6b +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.fastdebug.static-libs.el.x86_64.tar.xz) = a2f5364c8fbf9fc603d7ba35d2584b4ebe5450309fe523e4c845141fb48c36d8f99bf7aab35cb7d4136377f4f13e34215171ca427418c5b8faa84c3027a81370 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.misc.el.aarch64.tar.xz) = efed481fd1e99d36275660a2cbe3a6e2821bde88d889c0a3139b84a9c0ce4fbbf2fce93533a8a842cb9227d735db355926dfbdbe899c5200b000aebe3c3eb294 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.misc.el.ppc64le.tar.xz) = 3afeebc64fe7e93773031928d45e1a88eeb2e0a3bf0aa972242a057c908f888d49294e098dae8da00f0df9d51da7a5e4cbcd3c900092e38a3a2469cc68d8abf7 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.misc.el.s390x.tar.xz) = d71081c9494cb224942d8f4d675195cdfb98d88487f718fc54c4e7584c04a54b2402786a3cc66d9134edf212b8c5717cb35e2131c38202edf5eb382e4866e869 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.misc.el.x86_64.tar.xz) = 3b988ee4129930aef6279384c42e03503c598d6d12048374d2d392350d3b93cf634b530e1cbe88b2e05bc7f02bef269db6882be95f11a9203831dbccaf0f4833 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.aarch64.tar.xz) = 8be9b1c0023560eb591cfbb30a86479c2342a0d9210cf1b968f568fb5041b785b2216a9917e1de2d9a98a83416fd24300ac4bb9db2131b2e9d50288ffe43ba8a +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.ppc64le.tar.xz) = 08fbe43c17ff06ab1e01c24c9842293fcc7a4b06248b30c06019b42cd9a5b8a043693c6ff5aaafae21b619949b7e1dc6b41d2b136fabf90c62e194b06c85e875 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.s390x.tar.xz) = f3e587b5de6c9256f02d6ede8e2f9c859cfad7cb8d15e6039fe0d097b85925901eaff90e5dc3dc23be31977d64f1d4a778a14286f3b9bc0636301bbe231ff269 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.jdk.el.x86_64.tar.xz) = 1c4556347123987e30114f38c473fba34a9a6859d1ddea689d601f0205232a0841ddd3609df7944894d623b7dc72be76ec643ddf978c2cd707c0ff3acf63d75c +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.aarch64.tar.xz) = 95d1db9c040ccf6b42f65d367739b3847959895a93c4a2992085b5deed909bd85eeedcedf81404749ae1b479566910b30cef041a29493fea76da84896da5f0a6 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.ppc64le.tar.xz) = 445af74379a649859d749b06ce19513c8c3d2d06f924a01ee16c6d2eb11d152fb446239a468062e597ce7df7e5c0a5c70cd2b4ff074125ffd80029450e6e48ae +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.s390x.tar.xz) = 0142e2634c07915adc1d4c42abe01e9feaf753e417bc22e407ff05b2c58a8ab04ed779c576c11994fc2ec59d82237b8a48cd7bb4f8ae306407bee465a1ccafd4 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.slowdebug.static-libs.el.x86_64.tar.xz) = 10c68b33fff30821585fea6a3c875db4ae4d23022f92b45b97cba65fc09ecb1fe617f394b24cb95ea6c4524ca46a813f03a98c24b1b31b1455119eb15f52a7a8 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.aarch64.tar.xz) = 2d252699817468f2ede3447cb00b5fa552363c3f3274ee7ab27e33d2c067d0781018ef0a326a20221a034f7c0c67f6fa509c6ec4c26b32e1e6373d4f890e122d +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.ppc64le.tar.xz) = 2ee93a12dc7cc0d9dc9f362a5c20149ac302306fbe421e7422f0cdf9ade3a24fa9d82d492d7bc532d9cece889db7622ece2d5912b56a5cccf8f760baa9aebc7b +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.s390x.tar.xz) = 50b700ad7050881cdbd75b75e9595244214c2661b7a06947776508b8e0b5ac14b319eb0ee3bc936555d81958cfb799a5d0305e20ad1c837eb2d1e8b7756762da +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.static-libs.el.x86_64.tar.xz) = e8250c41e1bbb60d58c81c1e72b1cc393a322202978f2e0c120f3a50b3cbd85212c0c3cdf935451e00ebae0cb38122d91455c920131c72ab7c161fa4416c8270 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.aarch64.tar.xz) = 0907e5b6a37bec907c7f93ac8b61a5f2bd4ac77561871374600b8c655c4b39ac7b069a95f1678d787dd525c0490dab6a8eb976197d579d2b8282666690877984 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.ppc64le.tar.xz) = c677c2793e6c2ea948e8564ff4f6bdb239cb86c55b9ac8e021e8a28395587639f4273ccb491a48c616725a21747aca664a4048f68f99b333512292af655ca8ee +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.s390x.tar.xz) = 9acec9f5847518b086f95235b989ec379c890cb8913378a23c207e092ca6c825efa5371614823563fb43c81e2c2b1c4fdbfab995e2f0f98954be7b7dc284a8c1 +SHA512 (java-11-openjdk-11.0.18.0.10-6.portable.unstripped.jdk.el.x86_64.tar.xz) = e0e9795e72934537e11ee13cef605a1e4437c35d7a64d87e67ba07f816d7aa74030ee7a28d50c28fdcb6bfce67b2cb0b8367250ebb9923d0cf436b845b0e8377