java-11-openjdk/jdk8242332-rh2108712-sha3-sunpkcs11.patch
Andrew Hughes 354f2edc44 On portable architectures, replace build section with extraction of existing builds from portables
Rewrite ELF files so the source file path is correct and debugsources can be assembled
Backport SHA-3 support for PKCS11 provider
Sync patch set with portable build we are using by removing rh1648644-java_access_bridge_privileged_security.patch

Related: RHEL-30918
2024-04-28 00:29:32 +01:00

2732 lines
107 KiB
Diff

commit 81c2107a9188680f7c35ebc7697b292d5972436e
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 27 13:22:43 2023 +0000
Backport 78be334c3817a1b5840922a9bf1339a40dcc5185
diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
index 92ecb9adc0c..a5848c96aad 100644
--- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java
+++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
@@ -155,6 +155,14 @@ public enum KnownOIDs {
SHA256withDSA("2.16.840.1.101.3.4.3.2"),
SHA384withDSA("2.16.840.1.101.3.4.3.3"),
SHA512withDSA("2.16.840.1.101.3.4.3.4"),
+ SHA3_224withDSA("2.16.840.1.101.3.4.3.5", "SHA3-224withDSA"),
+ SHA3_256withDSA("2.16.840.1.101.3.4.3.6", "SHA3-256withDSA"),
+ SHA3_384withDSA("2.16.840.1.101.3.4.3.7", "SHA3-384withDSA"),
+ SHA3_512withDSA("2.16.840.1.101.3.4.3.8", "SHA3-512withDSA"),
+ SHA3_224withECDSA("2.16.840.1.101.3.4.3.9", "SHA3-224withECDSA"),
+ SHA3_256withECDSA("2.16.840.1.101.3.4.3.10", "SHA3-256withECDSA"),
+ SHA3_384withECDSA("2.16.840.1.101.3.4.3.11", "SHA3-384withECDSA"),
+ SHA3_512withECDSA("2.16.840.1.101.3.4.3.12", "SHA3-512withECDSA"),
SHA3_224withRSA("2.16.840.1.101.3.4.3.13", "SHA3-224withRSA"),
SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"),
SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"),
diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
index 32c089fd96d..7d5c0c7e299 100644
--- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java
+++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
@@ -168,4 +168,22 @@ public class SignatureUtil {
InvalidKeyException {
SharedSecrets.getJavaSecuritySignatureAccess().initSign(s, key, params, sr);
}
+
+ /**
+ * Extracts the digest algorithm name from a signature
+ * algorithm name in either the "DIGESTwithENCRYPTION" or the
+ * "DIGESTwithENCRYPTIONandWHATEVER" format.
+ *
+ * It's OK to return "SHA1" instead of "SHA-1".
+ */
+ public static String extractDigestAlgFromDwithE(String signatureAlgorithm) {
+ signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH);
+ int with = signatureAlgorithm.indexOf("WITH");
+ if (with > 0) {
+ return signatureAlgorithm.substring(0, with);
+ } else {
+ throw new IllegalArgumentException(
+ "Unknown algorithm: " + signatureAlgorithm);
+ }
+ }
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
index 41fe61b8a16..daf0bc9f69c 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -41,7 +41,8 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
/**
* MessageDigest implementation class. This class currently supports
- * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
+ * MD2, MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512)
+ * and SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) of digests.
*
* Note that many digest operations are on fairly small amounts of data
* (less than 100 bytes total). For example, the 2nd hashing in HMAC or
@@ -104,16 +105,20 @@ final class P11Digest extends MessageDigestSpi implements Cloneable,
break;
case (int)CKM_SHA224:
case (int)CKM_SHA512_224:
+ case (int)CKM_SHA3_224:
digestLength = 28;
break;
case (int)CKM_SHA256:
case (int)CKM_SHA512_256:
+ case (int)CKM_SHA3_256:
digestLength = 32;
break;
case (int)CKM_SHA384:
+ case (int)CKM_SHA3_384:
digestLength = 48;
break;
case (int)CKM_SHA512:
+ case (int)CKM_SHA3_512:
digestLength = 64;
break;
default:
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
index 926414608cb..f343e6025e1 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
@@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
/**
* KeyGenerator implementation class. This class currently supports
- * DES, DESede, AES, ARCFOUR, and Blowfish.
+ * DES, DESede, AES, ARCFOUR, Blowfish, Hmac using MD5, SHA, SHA-2 family
+ * (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256), and SHA-3
+ * family (SHA3-224, SHA3-256, SHA3-384, SHA3-512) of digests.
*
* @author Andreas Sterbenz
* @since 1.5
@@ -65,6 +67,48 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
// are supported.
private boolean supportBothKeySizes;
+ // for determining if the specified key size is valid
+ private final CK_MECHANISM_INFO range;
+
+ // utility method for query the native key sizes and enforcing the
+ // java-specific lower limit; returned values are in bits
+ private static CK_MECHANISM_INFO getSupportedRange(Token token,
+ long mech) throws ProviderException {
+ // No need to query for fix-length algorithms
+ if (mech == CKM_DES_KEY_GEN || mech == CKM_DES2_KEY_GEN ||
+ mech == CKM_DES3_KEY_GEN) {
+ return null;
+ }
+
+ // Explicitly disallow keys shorter than 40-bits for security
+ int lower = 40;
+ int upper = Integer.MAX_VALUE;
+ try {
+ CK_MECHANISM_INFO info = token.getMechanismInfo(mech);
+ if (info != null) {
+ boolean isBytes = ((mech != CKM_GENERIC_SECRET_KEY_GEN
+ && mech != CKM_RC4_KEY_GEN) || info.iMinKeySize < 8);
+ lower = Math.max(lower, (isBytes?
+ Math.multiplyExact(info.iMinKeySize, 8) :
+ info.iMinKeySize));
+ // NSS CKM_GENERIC_SECRET_KEY_GEN mech info is not precise;
+ // its upper limit is too low and does not match its impl
+ if (mech == CKM_GENERIC_SECRET_KEY_GEN &&
+ info.iMaxKeySize <= 32) {
+ // ignore and leave upper limit at MAX_VALUE;
+ } else if (info.iMaxKeySize != Integer.MAX_VALUE) {
+ upper = (isBytes?
+ Math.multiplyExact(info.iMaxKeySize, 8) :
+ info.iMaxKeySize);
+ }
+ }
+ } catch (PKCS11Exception p11e) {
+ // Should never happen
+ throw new ProviderException("Cannot retrieve mechanism info", p11e);
+ }
+ return new CK_MECHANISM_INFO(lower, upper, 0 /* flags not used */);
+ }
+
/**
* Utility method for checking if the specified key size is valid
* and within the supported range. Return the significant key size
@@ -78,8 +122,15 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
* @throws ProviderException if this mechanism isn't supported by SunPKCS11
* or underlying native impl.
*/
+ // called by P11SecretKeyFactory to check key size
static int checkKeySize(long keyGenMech, int keySize, Token token)
throws InvalidAlgorithmParameterException, ProviderException {
+ CK_MECHANISM_INFO range = getSupportedRange(token, keyGenMech);
+ return checkKeySize(keyGenMech, keySize, range);
+ }
+
+ private static int checkKeySize(long keyGenMech, int keySize,
+ CK_MECHANISM_INFO range) throws InvalidAlgorithmParameterException {
int sigKeySize;
switch ((int)keyGenMech) {
case (int)CKM_DES_KEY_GEN:
@@ -102,45 +153,17 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
break;
default:
// Handle all variable-key-length algorithms here
- CK_MECHANISM_INFO info = null;
- try {
- info = token.getMechanismInfo(keyGenMech);
- } catch (PKCS11Exception p11e) {
- // Should never happen
- throw new ProviderException
- ("Cannot retrieve mechanism info", p11e);
- }
- if (info == null) {
- // XXX Unable to retrieve the supported key length from
- // the underlying native impl. Skip the checking for now.
- return keySize;
- }
- // PKCS#11 defines these to be in number of bytes except for
- // RC4 which is in bits. However, some PKCS#11 impls still use
- // bytes for all mechs, e.g. NSS. We try to detect this
- // inconsistency if the minKeySize seems unreasonably small.
- int minKeySize = info.iMinKeySize;
- int maxKeySize = info.iMaxKeySize;
- if (keyGenMech != CKM_RC4_KEY_GEN || minKeySize < 8) {
- minKeySize = Math.multiplyExact(minKeySize, 8);
- if (maxKeySize != Integer.MAX_VALUE) {
- maxKeySize = Math.multiplyExact(maxKeySize, 8);
- }
- }
- // Explicitly disallow keys shorter than 40-bits for security
- if (minKeySize < 40) minKeySize = 40;
- if (keySize < minKeySize || keySize > maxKeySize) {
+ if (range != null && keySize < range.iMinKeySize
+ || keySize > range.iMaxKeySize) {
throw new InvalidAlgorithmParameterException
- ("Key length must be between " + minKeySize +
- " and " + maxKeySize + " bits");
+ ("Key length must be between " + range.iMinKeySize +
+ " and " + range.iMaxKeySize + " bits");
}
if (keyGenMech == CKM_AES_KEY_GEN) {
if ((keySize != 128) && (keySize != 192) &&
(keySize != 256)) {
throw new InvalidAlgorithmParameterException
- ("AES key length must be " + minKeySize +
- (maxKeySize >= 192? ", 192":"") +
- (maxKeySize >= 256? ", or 256":"") + " bits");
+ ("AES key length must be 128, 192, or 256 bits");
}
}
sigKeySize = keySize;
@@ -148,6 +171,20 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
return sigKeySize;
}
+ // check the supplied keysize (in bits) and adjust it based on the given
+ // range
+ private static int adjustKeySize(int ks, CK_MECHANISM_INFO mi) {
+ // adjust to fit within the supported range
+ if (mi != null) {
+ if (ks < mi.iMinKeySize) {
+ ks = mi.iMinKeySize;
+ } else if (ks > mi.iMaxKeySize) {
+ ks = mi.iMaxKeySize;
+ }
+ }
+ return ks;
+ }
+
P11KeyGenerator(Token token, String algorithm, long mechanism)
throws PKCS11Exception {
super();
@@ -164,54 +201,140 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
(token.provider.config.isEnabled(CKM_DES2_KEY_GEN) &&
(token.getMechanismInfo(CKM_DES2_KEY_GEN) != null));
}
- setDefaultKeySize();
+ this.range = getSupportedRange(token, mechanism);
+ setDefault();
}
- // set default keysize and also initialize keyType
- private void setDefaultKeySize() {
+ // set default keysize and keyType
+ private void setDefault() {
+ significantKeySize = -1;
switch ((int)mechanism) {
case (int)CKM_DES_KEY_GEN:
keySize = 64;
keyType = CKK_DES;
+ significantKeySize = 56;
break;
case (int)CKM_DES2_KEY_GEN:
keySize = 128;
keyType = CKK_DES2;
+ significantKeySize = 112;
break;
case (int)CKM_DES3_KEY_GEN:
keySize = 192;
keyType = CKK_DES3;
+ significantKeySize = 168;
break;
case (int)CKM_AES_KEY_GEN:
- keySize = 128;
+ keySize = adjustKeySize(128, range);
keyType = CKK_AES;
break;
case (int)CKM_RC4_KEY_GEN:
- keySize = 128;
+ keySize = adjustKeySize(128, range);
keyType = CKK_RC4;
break;
case (int)CKM_BLOWFISH_KEY_GEN:
- keySize = 128;
+ keySize = adjustKeySize(128, range);
keyType = CKK_BLOWFISH;
break;
case (int)CKM_CHACHA20_KEY_GEN:
keySize = 256;
keyType = CKK_CHACHA20;
break;
+ case (int)CKM_SHA_1_KEY_GEN:
+ keySize = adjustKeySize(160, range);
+ keyType = CKK_SHA_1_HMAC;
+ break;
+ case (int)CKM_SHA224_KEY_GEN:
+ keySize = adjustKeySize(224, range);
+ keyType = CKK_SHA224_HMAC;
+ break;
+ case (int)CKM_SHA256_KEY_GEN:
+ keySize = adjustKeySize(256, range);
+ keyType = CKK_SHA256_HMAC;
+ break;
+ case (int)CKM_SHA384_KEY_GEN:
+ keySize = adjustKeySize(384, range);
+ keyType = CKK_SHA384_HMAC;
+ break;
+ case (int)CKM_SHA512_KEY_GEN:
+ keySize = adjustKeySize(512, range);
+ keyType = CKK_SHA512_HMAC;
+ break;
+ case (int)CKM_SHA512_224_KEY_GEN:
+ keySize = adjustKeySize(224, range);
+ keyType = CKK_SHA512_224_HMAC;
+ break;
+ case (int)CKM_SHA512_256_KEY_GEN:
+ keySize = adjustKeySize(256, range);
+ keyType = CKK_SHA512_256_HMAC;
+ break;
+ case (int)CKM_SHA3_224_KEY_GEN:
+ keySize = adjustKeySize(224, range);
+ keyType = CKK_SHA3_224_HMAC;
+ break;
+ case (int)CKM_SHA3_256_KEY_GEN:
+ keySize = adjustKeySize(256, range);
+ keyType = CKK_SHA3_256_HMAC;
+ break;
+ case (int)CKM_SHA3_384_KEY_GEN:
+ keySize = adjustKeySize(384, range);
+ keyType = CKK_SHA3_384_HMAC;
+ break;
+ case (int)CKM_SHA3_512_KEY_GEN:
+ keySize = adjustKeySize(512, range);
+ keyType = CKK_SHA3_512_HMAC;
+ break;
+ case (int)CKM_GENERIC_SECRET_KEY_GEN:
+ if (algorithm.startsWith("Hmac")) {
+ String digest = algorithm.substring(4);
+ switch (digest) {
+ case "MD5":
+ keySize = 512;
+ break;
+ case "SHA1":
+ keySize = 160;
+ break;
+ case "SHA224":
+ case "SHA512/224":
+ case "SHA3-224":
+ keySize = 224;
+ break;
+ case "SHA256":
+ case "SHA512/256":
+ case "SHA3-256":
+ keySize = 256;
+ break;
+ case "SHA384":
+ case "SHA3-384":
+ keySize = 384;
+ break;
+ case "SHA512":
+ case "SHA3-512":
+ keySize = 512;
+ break;
+ default:
+ throw new ProviderException("Unsupported algorithm " +
+ algorithm);
+ }
+ keySize = adjustKeySize(keySize, range);
+ } else {
+ throw new ProviderException("Unsupported algorithm " +
+ algorithm);
+ }
+ keyType = CKK_GENERIC_SECRET;
+ break;
default:
throw new ProviderException("Unknown mechanism " + mechanism);
}
- try {
- significantKeySize = checkKeySize(mechanism, keySize, token);
- } catch (InvalidAlgorithmParameterException iape) {
- throw new ProviderException("Unsupported default key size", iape);
+ if (significantKeySize == -1) {
+ significantKeySize = keySize;
}
}
// see JCE spec
protected void engineInit(SecureRandom random) {
token.ensureValid();
- setDefaultKeySize();
+ setDefault();
}
// see JCE spec
@@ -226,7 +349,7 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
token.ensureValid();
int newSignificantKeySize;
try {
- newSignificantKeySize = checkKeySize(mechanism, keySize, token);
+ newSignificantKeySize = checkKeySize(mechanism, keySize, range);
} catch (InvalidAlgorithmParameterException iape) {
throw (InvalidParameterException)
(new InvalidParameterException().initCause(iape));
@@ -258,10 +381,11 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
try {
session = token.getObjSession();
CK_ATTRIBUTE[] attributes;
- switch ((int)keyType) {
- case (int)CKK_DES:
- case (int)CKK_DES2:
- case (int)CKK_DES3:
+
+ switch ((int)mechanism) {
+ case (int)CKM_DES_KEY_GEN:
+ case (int)CKM_DES2_KEY_GEN:
+ case (int)CKM_DES3_KEY_GEN:
// fixed length, do not specify CKA_VALUE_LEN
attributes = new CK_ATTRIBUTE[] {
new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
@@ -286,5 +410,4 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
token.releaseSession(session);
}
}
-
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
index c88e4a6ace5..29b26651c39 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
@@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
/**
* MAC implementation class. This class currently supports HMAC using
- * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC
- * using MD5 and SHA-1.
+ * MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512),
+ * SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512), and the
+ * SSL3 MAC using MD5 and SHA-1.
*
* Note that unlike other classes (e.g. Signature), this does not
* composite various operations if the token only supports part of the
@@ -92,16 +93,20 @@ final class P11Mac extends MacSpi {
break;
case (int)CKM_SHA224_HMAC:
case (int)CKM_SHA512_224_HMAC:
+ case (int)CKM_SHA3_224_HMAC:
macLength = 28;
break;
case (int)CKM_SHA256_HMAC:
case (int)CKM_SHA512_256_HMAC:
+ case (int)CKM_SHA3_256_HMAC:
macLength = 32;
break;
case (int)CKM_SHA384_HMAC:
+ case (int)CKM_SHA3_384_HMAC:
macLength = 48;
break;
case (int)CKM_SHA512_HMAC:
+ case (int)CKM_SHA3_512_HMAC:
macLength = 64;
break;
case (int)CKM_SSL3_MD5_MAC:
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
index 26eaa4735f1..905b6ea9562 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
@@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.security.interfaces.*;
import sun.security.pkcs11.wrapper.*;
+import sun.security.util.KnownOIDs;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -52,6 +53,10 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
* . SHA256withRSASSA-PSS
* . SHA384withRSASSA-PSS
* . SHA512withRSASSA-PSS
+ * . SHA3-224withRSASSA-PSS
+ * . SHA3-256withRSASSA-PSS
+ * . SHA3-384withRSASSA-PSS
+ * . SHA3-512withRSASSA-PSS
*
* Note that the underlying PKCS#11 token may support complete signature
* algorithm (e.g. CKM_<md>_RSA_PKCS_PSS), or it may just
@@ -71,20 +76,28 @@ final class P11PSSSignature extends SignatureSpi {
static {
DIGEST_LENGTHS.put("SHA-1", 20);
- DIGEST_LENGTHS.put("SHA", 20);
- DIGEST_LENGTHS.put("SHA1", 20);
DIGEST_LENGTHS.put("SHA-224", 28);
- DIGEST_LENGTHS.put("SHA224", 28);
DIGEST_LENGTHS.put("SHA-256", 32);
- DIGEST_LENGTHS.put("SHA256", 32);
DIGEST_LENGTHS.put("SHA-384", 48);
- DIGEST_LENGTHS.put("SHA384", 48);
DIGEST_LENGTHS.put("SHA-512", 64);
- DIGEST_LENGTHS.put("SHA512", 64);
DIGEST_LENGTHS.put("SHA-512/224", 28);
- DIGEST_LENGTHS.put("SHA512/224", 28);
DIGEST_LENGTHS.put("SHA-512/256", 32);
- DIGEST_LENGTHS.put("SHA512/256", 32);
+ DIGEST_LENGTHS.put("SHA3-224", 28);
+ DIGEST_LENGTHS.put("SHA3-256", 32);
+ DIGEST_LENGTHS.put("SHA3-384", 48);
+ DIGEST_LENGTHS.put("SHA3-512", 64);
+ }
+
+ // utility method for looking up the std digest algorithms
+ private static String toStdName(String givenDigestAlg) {
+ if (givenDigestAlg == null) return null;
+
+ KnownOIDs given2 = KnownOIDs.findMatch(givenDigestAlg);
+ if (given2 == null) {
+ return givenDigestAlg;
+ } else {
+ return given2.stdName();
+ }
}
// utility method for comparing digest algorithms
@@ -92,24 +105,8 @@ final class P11PSSSignature extends SignatureSpi {
private static boolean isDigestEqual(String stdAlg, String givenAlg) {
if (stdAlg == null || givenAlg == null) return false;
- if (givenAlg.indexOf("-") != -1) {
- return stdAlg.equalsIgnoreCase(givenAlg);
- } else {
- if (stdAlg.equals("SHA-1")) {
- return (givenAlg.equalsIgnoreCase("SHA")
- || givenAlg.equalsIgnoreCase("SHA1"));
- } else {
- StringBuilder sb = new StringBuilder(givenAlg);
- // case-insensitive check
- if (givenAlg.regionMatches(true, 0, "SHA", 0, 3)) {
- givenAlg = sb.insert(3, "-").toString();
- return stdAlg.equalsIgnoreCase(givenAlg);
- } else {
- throw new ProviderException("Unsupported digest algorithm "
- + givenAlg);
- }
- }
- }
+ givenAlg = toStdName(givenAlg);
+ return stdAlg.equalsIgnoreCase(givenAlg);
}
// token instance
@@ -172,26 +169,57 @@ final class P11PSSSignature extends SignatureSpi {
this.algorithm = algorithm;
this.mechanism = new CK_MECHANISM(mechId);
int idx = algorithm.indexOf("with");
- this.mdAlg = (idx == -1? null : algorithm.substring(0, idx));
+ // convert to stdName
+ this.mdAlg = (idx == -1?
+ null : toStdName(algorithm.substring(0, idx)));
+
switch ((int)mechId) {
case (int)CKM_SHA1_RSA_PKCS_PSS:
case (int)CKM_SHA224_RSA_PKCS_PSS:
case (int)CKM_SHA256_RSA_PKCS_PSS:
case (int)CKM_SHA384_RSA_PKCS_PSS:
case (int)CKM_SHA512_RSA_PKCS_PSS:
+ case (int)CKM_SHA3_224_RSA_PKCS_PSS:
+ case (int)CKM_SHA3_256_RSA_PKCS_PSS:
+ case (int)CKM_SHA3_384_RSA_PKCS_PSS:
+ case (int)CKM_SHA3_512_RSA_PKCS_PSS:
type = T_UPDATE;
+ this.md = null;
break;
case (int)CKM_RSA_PKCS_PSS:
+ // check if the digest algo is supported by underlying PKCS11 lib
+ if (this.mdAlg != null && token.getMechanismInfo
+ (Functions.getHashMechId(this.mdAlg)) == null) {
+ throw new NoSuchAlgorithmException("Unsupported algorithm: " +
+ algorithm);
+ }
+ this.md = (this.mdAlg == null? null :
+ MessageDigest.getInstance(this.mdAlg));
type = T_DIGEST;
break;
default:
throw new ProviderException("Unsupported mechanism: " + mechId);
}
- this.md = null;
+ }
+
+ private static PSSParameterSpec genDefaultParams(String digestAlg,
+ P11Key key) throws SignatureException {
+ int mdLen;
+ try {
+ mdLen = DIGEST_LENGTHS.get(digestAlg);
+ } catch (NullPointerException npe) {
+ throw new SignatureException("Unsupported digest: " +
+ digestAlg);
+ }
+ int saltLen = Integer.min(mdLen, (key.length() >> 3) - mdLen -2);
+ return new PSSParameterSpec(digestAlg,
+ "MGF1", new MGF1ParameterSpec(digestAlg),
+ saltLen, PSSParameterSpec.TRAILER_FIELD_BC);
}
private void ensureInitialized() throws SignatureException {
token.ensureValid();
+
if (this.p11Key == null) {
throw new SignatureException("Missing key");
}
@@ -200,20 +228,19 @@ final class P11PSSSignature extends SignatureSpi {
// PSS Parameters are required for signature verification
throw new SignatureException
("Parameters required for RSASSA-PSS signature");
- } else {
- int saltLen = DIGEST_LENGTHS.get(this.mdAlg).intValue();
- // generate default params for both sign and verify?
- this.sigParams = new PSSParameterSpec(this.mdAlg,
- "MGF1", new MGF1ParameterSpec(this.mdAlg),
- saltLen, PSSParameterSpec.TRAILER_FIELD_BC);
- this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(
- this.mdAlg, "MGF1", this.mdAlg,
- DIGEST_LENGTHS.get(this.mdAlg).intValue()));
}
+ // generate default params for both sign and verify?
+ this.sigParams = genDefaultParams(this.mdAlg, this.p11Key);
+ this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(
+ this.mdAlg, "MGF1", this.mdAlg, sigParams.getSaltLength()));
}
if (initialized == false) {
- initialize();
+ try {
+ initialize();
+ } catch (ProviderException pe) {
+ throw new SignatureException(pe);
+ }
}
}
@@ -286,7 +313,7 @@ final class P11PSSSignature extends SignatureSpi {
}
// assumes current state is initialized == false
- private void initialize() {
+ private void initialize() throws ProviderException {
if (DEBUG) System.out.println("Initializing");
if (p11Key == null) {
@@ -363,7 +390,8 @@ final class P11PSSSignature extends SignatureSpi {
if (this.sigParams != null) {
String digestAlg = this.sigParams.getDigestAlgorithm();
int sLen = this.sigParams.getSaltLength();
- int hLen = DIGEST_LENGTHS.get(digestAlg).intValue();
+
+ int hLen = DIGEST_LENGTHS.get(toStdName(digestAlg)).intValue();
int minKeyLen = Math.addExact(Math.addExact(sLen, hLen), 2);
if (keySize < minKeyLen) {
@@ -387,12 +415,24 @@ final class P11PSSSignature extends SignatureSpi {
if (params == this.sigParams) return;
String digestAlgorithm = params.getDigestAlgorithm();
- if (this.mdAlg != null && !isDigestEqual(digestAlgorithm, this.mdAlg)) {
+ if (this.mdAlg != null && !isDigestEqual(this.mdAlg, digestAlgorithm)) {
throw new InvalidAlgorithmParameterException
("Digest algorithm in Signature parameters must be " +
this.mdAlg);
}
- Integer digestLen = DIGEST_LENGTHS.get(digestAlgorithm);
+
+ try {
+ if (token.getMechanismInfo(Functions.getHashMechId
+ (digestAlgorithm)) == null) {
+ throw new InvalidAlgorithmParameterException
+ ("Unsupported digest algorithm: " + digestAlgorithm);
+ }
+ } catch (PKCS11Exception pe) {
+ // should not happen
+ throw new InvalidAlgorithmParameterException(pe);
+ }
+
+ Integer digestLen = DIGEST_LENGTHS.get(toStdName(digestAlgorithm));
if (digestLen == null) {
throw new InvalidAlgorithmParameterException
("Unsupported digest algorithm in Signature parameters: " +
@@ -465,8 +505,14 @@ final class P11PSSSignature extends SignatureSpi {
mode = M_VERIFY;
p11Key = P11KeyFactory.convertKey(token, publicKey, KEY_ALGO);
- // For PSS, defer PKCS11 initialization calls to update/doFinal as it
- // needs both key and params
+ // attempt initialization when key and params are both available
+ if (this.p11Key != null && this.sigParams != null) {
+ try {
+ initialize();
+ } catch (ProviderException pe) {
+ throw new InvalidKeyException(pe);
+ }
+ }
}
// see JCA spec
@@ -487,8 +533,14 @@ final class P11PSSSignature extends SignatureSpi {
mode = M_SIGN;
p11Key = P11KeyFactory.convertKey(token, privateKey, KEY_ALGO);
- // For PSS, defer PKCS11 initialization calls to update/doFinal as it
- // needs both key and params
+ // attempt initialization when key and params are both available
+ if (this.p11Key != null && this.sigParams != null) {
+ try {
+ initialize();
+ } catch (ProviderException pe) {
+ throw new InvalidKeyException(pe);
+ }
+ }
}
// see JCA spec
@@ -698,6 +750,15 @@ final class P11PSSSignature extends SignatureSpi {
throw new InvalidAlgorithmParameterException(nsae);
}
}
+
+ // attempt initialization when key and params are both available
+ if (this.p11Key != null && this.sigParams != null) {
+ try {
+ initialize();
+ } catch (ProviderException pe) {
+ throw new InvalidAlgorithmParameterException(pe);
+ }
+ }
}
// see JCA spec
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
index e3af106d05a..e49edf32c29 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
@@ -51,8 +51,15 @@ import sun.security.util.KeyUtil;
* . DSA
* . NONEwithDSA (RawDSA)
* . SHA1withDSA
- * . NONEwithDSAinP1363Format (RawDSAinP1363Format)
- * . SHA1withDSAinP1363Format
+ * . SHA224withDSA
+ * . SHA256withDSA
+ * . SHA384withDSA
+ * . SHA512withDSA
+ * . SHA3-224withDSA
+ * . SHA3-256withDSA
+ * . SHA3-384withDSA
+ * . SHA3-512withDSA
+ * . <any of above>inP1363Format
* . RSA:
* . MD2withRSA
* . MD5withRSA
@@ -61,6 +68,10 @@ import sun.security.util.KeyUtil;
* . SHA256withRSA
* . SHA384withRSA
* . SHA512withRSA
+ * . SHA3-224withRSA
+ * . SHA3-256withRSA
+ * . SHA3-384withRSA
+ * . SHA3-512withRSA
* . ECDSA
* . NONEwithECDSA
* . SHA1withECDSA
@@ -68,12 +79,11 @@ import sun.security.util.KeyUtil;
* . SHA256withECDSA
* . SHA384withECDSA
* . SHA512withECDSA
- * . NONEwithECDSAinP1363Format
- * . SHA1withECDSAinP1363Format
- * . SHA224withECDSAinP1363Format
- * . SHA256withECDSAinP1363Format
- * . SHA384withECDSAinP1363Format
- * . SHA512withECDSAinP1363Format
+ * . SHA3_224withECDSA
+ * . SHA3_256withECDSA
+ * . SHA3_384withECDSA
+ * . SHA3_512withECDSA
+ * . <any of above>inP1363Format
*
* Note that the underlying PKCS#11 token may support complete signature
* algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just
@@ -144,10 +154,11 @@ final class P11Signature extends SignatureSpi {
// constant for type raw, used with RawDSA and NONEwithECDSA only
private final static int T_RAW = 3;
- // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits",
- // but this is a little arbitrary
+ // PKCS#11 spec for CKM_ECDSA states that the length should not be longer
+ // than 1024 bits", but this is a little arbitrary
private final static int RAW_ECDSA_MAX = 128;
+
P11Signature(Token token, String algorithm, long mechanism)
throws NoSuchAlgorithmException, PKCS11Exception {
super();
@@ -165,16 +176,36 @@ final class P11Signature extends SignatureSpi {
case (int)CKM_SHA256_RSA_PKCS:
case (int)CKM_SHA384_RSA_PKCS:
case (int)CKM_SHA512_RSA_PKCS:
+ case (int)CKM_SHA3_224_RSA_PKCS:
+ case (int)CKM_SHA3_256_RSA_PKCS:
+ case (int)CKM_SHA3_384_RSA_PKCS:
+ case (int)CKM_SHA3_512_RSA_PKCS:
keyAlgorithm = "RSA";
type = T_UPDATE;
buffer = new byte[1];
break;
case (int)CKM_DSA_SHA1:
+ case (int)CKM_DSA_SHA224:
+ case (int)CKM_DSA_SHA256:
+ case (int)CKM_DSA_SHA384:
+ case (int)CKM_DSA_SHA512:
+ case (int)CKM_DSA_SHA3_224:
+ case (int)CKM_DSA_SHA3_256:
+ case (int)CKM_DSA_SHA3_384:
+ case (int)CKM_DSA_SHA3_512:
keyAlgorithm = "DSA";
type = T_UPDATE;
buffer = new byte[1];
break;
case (int)CKM_ECDSA_SHA1:
+ case (int)CKM_ECDSA_SHA224:
+ case (int)CKM_ECDSA_SHA256:
+ case (int)CKM_ECDSA_SHA384:
+ case (int)CKM_ECDSA_SHA512:
+ case (int)CKM_ECDSA_SHA3_224:
+ case (int)CKM_ECDSA_SHA3_256:
+ case (int)CKM_ECDSA_SHA3_384:
+ case (int)CKM_ECDSA_SHA3_512:
keyAlgorithm = "EC";
type = T_UPDATE;
buffer = new byte[1];
@@ -200,57 +231,18 @@ final class P11Signature extends SignatureSpi {
type = T_RAW;
buffer = new byte[RAW_ECDSA_MAX];
} else {
- String digestAlg;
- if (algorithm.equals("SHA1withECDSA") ||
- algorithm.equals("SHA1withECDSAinP1363Format")) {
- digestAlg = "SHA-1";
- } else if (algorithm.equals("SHA224withECDSA") ||
- algorithm.equals("SHA224withECDSAinP1363Format")) {
- digestAlg = "SHA-224";
- } else if (algorithm.equals("SHA256withECDSA") ||
- algorithm.equals("SHA256withECDSAinP1363Format")) {
- digestAlg = "SHA-256";
- } else if (algorithm.equals("SHA384withECDSA") ||
- algorithm.equals("SHA384withECDSAinP1363Format")) {
- digestAlg = "SHA-384";
- } else if (algorithm.equals("SHA512withECDSA") ||
- algorithm.equals("SHA512withECDSAinP1363Format")) {
- digestAlg = "SHA-512";
- } else {
- throw new ProviderException(algorithm);
- }
type = T_DIGEST;
- md = MessageDigest.getInstance(digestAlg);
+ md = MessageDigest.getInstance
+ (getDigestEnum(algorithm).stdName());
}
break;
case (int)CKM_RSA_PKCS:
case (int)CKM_RSA_X_509:
keyAlgorithm = "RSA";
type = T_DIGEST;
- if (algorithm.equals("MD5withRSA")) {
- md = MessageDigest.getInstance("MD5");
- digestOID = AlgorithmId.MD5_oid;
- } else if (algorithm.equals("SHA1withRSA")) {
- md = MessageDigest.getInstance("SHA-1");
- digestOID = AlgorithmId.SHA_oid;
- } else if (algorithm.equals("MD2withRSA")) {
- md = MessageDigest.getInstance("MD2");
- digestOID = AlgorithmId.MD2_oid;
- } else if (algorithm.equals("SHA224withRSA")) {
- md = MessageDigest.getInstance("SHA-224");
- digestOID = AlgorithmId.SHA224_oid;
- } else if (algorithm.equals("SHA256withRSA")) {
- md = MessageDigest.getInstance("SHA-256");
- digestOID = AlgorithmId.SHA256_oid;
- } else if (algorithm.equals("SHA384withRSA")) {
- md = MessageDigest.getInstance("SHA-384");
- digestOID = AlgorithmId.SHA384_oid;
- } else if (algorithm.equals("SHA512withRSA")) {
- md = MessageDigest.getInstance("SHA-512");
- digestOID = AlgorithmId.SHA512_oid;
- } else {
- throw new ProviderException("Unknown signature: " + algorithm);
- }
+ KnownOIDs digestAlg = getDigestEnum(algorithm);
+ md = MessageDigest.getInstance(digestAlg.stdName());
+ digestOID = ObjectIdentifier.of(digestAlg);
break;
default:
throw new ProviderException("Unknown mechanism: " + mechanism);
@@ -304,8 +296,8 @@ final class P11Signature extends SignatureSpi {
}
} else { // M_VERIFY
byte[] signature;
- if (keyAlgorithm.equals("DSA")) {
- signature = new byte[40];
+ if (mechanism == CKM_DSA) {
+ signature = new byte[64]; // assume N = 256
} else {
signature = new byte[(p11Key.length() + 7) >> 3];
}
@@ -449,13 +441,17 @@ final class P11Signature extends SignatureSpi {
encodedLength = 34;
} else if (algorithm.equals("SHA1withRSA")) {
encodedLength = 35;
- } else if (algorithm.equals("SHA224withRSA")) {
+ } else if (algorithm.equals("SHA224withRSA") ||
+ algorithm.equals("SHA3-224withRSA")) {
encodedLength = 47;
- } else if (algorithm.equals("SHA256withRSA")) {
+ } else if (algorithm.equals("SHA256withRSA") ||
+ algorithm.equals("SHA3-256withRSA")) {
encodedLength = 51;
- } else if (algorithm.equals("SHA384withRSA")) {
+ } else if (algorithm.equals("SHA384withRSA") ||
+ algorithm.equals("SHA3-384withRSA")) {
encodedLength = 67;
- } else if (algorithm.equals("SHA512withRSA")) {
+ } else if (algorithm.equals("SHA512withRSA") ||
+ algorithm.equals("SHA3-512withRSA")) {
encodedLength = 83;
} else {
throw new ProviderException("Unknown signature algo: " + algorithm);
@@ -631,8 +627,7 @@ final class P11Signature extends SignatureSpi {
try {
byte[] signature;
if (type == T_UPDATE) {
- int len = keyAlgorithm.equals("DSA") ? 40 : 0;
- signature = token.p11.C_SignFinal(session.id(), len);
+ signature = token.p11.C_SignFinal(session.id(), 0);
} else {
byte[] digest;
if (type == T_DIGEST) {
@@ -781,6 +776,23 @@ final class P11Signature extends SignatureSpi {
}
}
+ private static KnownOIDs getDigestEnum(String algorithm)
+ throws NoSuchAlgorithmException {
+ try {
+ String digAlg = SignatureUtil.extractDigestAlgFromDwithE(algorithm);
+ KnownOIDs k = KnownOIDs.findMatch(digAlg);
+ if (k == null) {
+ throw new NoSuchAlgorithmException
+ ("Unsupported digest algorithm: " + digAlg);
+ }
+ return k;
+ } catch (IllegalArgumentException iae) {
+ // should never happen
+ throw new NoSuchAlgorithmException("Unknown signature: " +
+ algorithm, iae);
+ }
+ }
+
// private static byte[] decodeSignature(byte[] signature) throws IOException {
// return RSASignature.decodeSignature(digestOID, signature);
// }
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index cf7cd19b689..7a8bcffb92c 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider {
d(MD, "SHA-512/256", P11Digest,
s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"),
m(CKM_SHA512_256));
+ d(MD, "SHA3-224", P11Digest,
+ s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"),
+ m(CKM_SHA3_224));
+ d(MD, "SHA3-256", P11Digest,
+ s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"),
+ m(CKM_SHA3_256));
+ d(MD, "SHA3-384", P11Digest,
+ s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"),
+ m(CKM_SHA3_384));
+ d(MD, "SHA3-512", P11Digest,
+ s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"),
+ m(CKM_SHA3_512));
d(MAC, "HmacMD5", P11MAC,
m(CKM_MD5_HMAC));
@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider {
d(MAC, "HmacSHA512/256", P11MAC,
s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
m(CKM_SHA512_256_HMAC));
-
+ d(MAC, "HmacSHA3-224", P11MAC,
+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
+ m(CKM_SHA3_224_HMAC));
+ d(MAC, "HmacSHA3-256", P11MAC,
+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
+ m(CKM_SHA3_256_HMAC));
+ d(MAC, "HmacSHA3-384", P11MAC,
+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
+ m(CKM_SHA3_384_HMAC));
+ d(MAC, "HmacSHA3-512", P11MAC,
+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
+ m(CKM_SHA3_512_HMAC));
d(MAC, "SslMacMD5", P11MAC,
m(CKM_SSL3_MD5_MAC));
d(MAC, "SslMacSHA1", P11MAC,
@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider {
m(CKM_BLOWFISH_KEY_GEN));
d(KG, "ChaCha20", P11KeyGenerator,
m(CKM_CHACHA20_KEY_GEN));
+ d(KG, "HmacMD5", P11KeyGenerator, // 1.3.6.1.5.5.8.1.1
+ m(CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA1", P11KeyGenerator,
+ s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"),
+ m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA224", P11KeyGenerator,
+ s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"),
+ m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA256", P11KeyGenerator,
+ s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"),
+ m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA384", P11KeyGenerator,
+ s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"),
+ m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA512", P11KeyGenerator,
+ s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
+ m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA512/224", P11KeyGenerator,
+ s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"),
+ m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA512/256", P11KeyGenerator,
+ s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
+ m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA3-224", P11KeyGenerator,
+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
+ m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA3-256", P11KeyGenerator,
+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
+ m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA3-384", P11KeyGenerator,
+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
+ m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
+ d(KG, "HmacSHA3-512", P11KeyGenerator,
+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
+ m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
// register (Secret)KeyFactories if there are any mechanisms
// for a particular algorithm that we support
@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider {
d(SIG, "SHA512withDSA", P11Signature,
s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"),
m(CKM_DSA_SHA512));
+ d(SIG, "SHA3-224withDSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"),
+ m(CKM_DSA_SHA3_224));
+ d(SIG, "SHA3-256withDSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"),
+ m(CKM_DSA_SHA3_256));
+ d(SIG, "SHA3-384withDSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"),
+ m(CKM_DSA_SHA3_384));
+ d(SIG, "SHA3-512withDSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"),
+ m(CKM_DSA_SHA3_512));
d(SIG, "RawDSAinP1363Format", P11Signature,
s("NONEwithDSAinP1363Format"),
m(CKM_DSA));
d(SIG, "DSAinP1363Format", P11Signature,
s("SHA1withDSAinP1363Format"),
m(CKM_DSA_SHA1, CKM_DSA));
-
+ d(SIG, "SHA224withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA224));
+ d(SIG, "SHA256withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA256));
+ d(SIG, "SHA384withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA384));
+ d(SIG, "SHA512withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA512));
+ d(SIG, "SHA3-224withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA3_224));
+ d(SIG, "SHA3-256withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA3_256));
+ d(SIG, "SHA3-384withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA3_384));
+ d(SIG, "SHA3-512withDSAinP1363Format", P11Signature,
+ m(CKM_DSA_SHA3_512));
d(SIG, "NONEwithECDSA", P11Signature,
m(CKM_ECDSA));
d(SIG, "SHA1withECDSA", P11Signature,
@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider {
m(CKM_ECDSA_SHA1, CKM_ECDSA));
d(SIG, "SHA224withECDSA", P11Signature,
s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"),
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA224, CKM_ECDSA));
d(SIG, "SHA256withECDSA", P11Signature,
s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"),
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA256, CKM_ECDSA));
d(SIG, "SHA384withECDSA", P11Signature,
s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"),
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA384, CKM_ECDSA));
d(SIG, "SHA512withECDSA", P11Signature,
s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"),
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA512, CKM_ECDSA));
+ d(SIG, "SHA3-224withECDSA", P11Signature,
+ s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"),
+ m(CKM_ECDSA_SHA3_224, CKM_ECDSA));
+ d(SIG, "SHA3-256withECDSA", P11Signature,
+ s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"),
+ m(CKM_ECDSA_SHA3_256, CKM_ECDSA));
+ d(SIG, "SHA3-384withECDSA", P11Signature,
+ s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"),
+ m(CKM_ECDSA_SHA3_384, CKM_ECDSA));
+ d(SIG, "SHA3-512withECDSA", P11Signature,
+ s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"),
+ m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
d(SIG, "NONEwithECDSAinP1363Format", P11Signature,
m(CKM_ECDSA));
d(SIG, "SHA1withECDSAinP1363Format", P11Signature,
m(CKM_ECDSA_SHA1, CKM_ECDSA));
d(SIG, "SHA224withECDSAinP1363Format", P11Signature,
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA224, CKM_ECDSA));
d(SIG, "SHA256withECDSAinP1363Format", P11Signature,
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA256, CKM_ECDSA));
d(SIG, "SHA384withECDSAinP1363Format", P11Signature,
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA384, CKM_ECDSA));
d(SIG, "SHA512withECDSAinP1363Format", P11Signature,
- m(CKM_ECDSA));
+ m(CKM_ECDSA_SHA512, CKM_ECDSA));
+ d(SIG, "SHA3-224withECDSAinP1363Format", P11Signature,
+ m(CKM_ECDSA_SHA3_224, CKM_ECDSA));
+ d(SIG, "SHA3-256withECDSAinP1363Format", P11Signature,
+ m(CKM_ECDSA_SHA3_256, CKM_ECDSA));
+ d(SIG, "SHA3-384withECDSAinP1363Format", P11Signature,
+ m(CKM_ECDSA_SHA3_384, CKM_ECDSA));
+ d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature,
+ m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
+
d(SIG, "MD2withRSA", P11Signature,
s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"),
m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider {
d(SIG, "SHA512withRSA", P11Signature,
s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+ d(SIG, "SHA3-224withRSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"),
+ m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+ d(SIG, "SHA3-256withRSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"),
+ m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+ d(SIG, "SHA3-384withRSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"),
+ m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+ d(SIG, "SHA3-512withRSA", P11Signature,
+ s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"),
+ m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
d(SIG, "RSASSA-PSS", P11PSSSignature,
s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"),
m(CKM_RSA_PKCS_PSS));
@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider {
m(CKM_SHA384_RSA_PKCS_PSS));
d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature,
m(CKM_SHA512_RSA_PKCS_PSS));
+ d(SIG, "SHA3-224withRSASSA-PSS", P11PSSSignature,
+ m(CKM_SHA3_224_RSA_PKCS_PSS));
+ d(SIG, "SHA3-256withRSASSA-PSS", P11PSSSignature,
+ m(CKM_SHA3_256_RSA_PKCS_PSS));
+ d(SIG, "SHA3-384withRSASSA-PSS", P11PSSSignature,
+ m(CKM_SHA3_384_RSA_PKCS_PSS));
+ d(SIG, "SHA3-512withRSASSA-PSS", P11PSSSignature,
+ m(CKM_SHA3_512_RSA_PKCS_PSS));
d(KG, "SunTlsRsaPremasterSecret",
"sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
index e077943bbc2..cb04b95304d 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -57,7 +57,12 @@ public class CK_RSA_PKCS_PSS_PARAMS {
throw new ProviderException("Only MGF1 is supported");
}
// no dash in PKCS#11 mechanism names
- this.mgf = Functions.getMGFId("CKG_MGF1_" + mgfHash.replaceFirst("-", ""));
+ if (mgfHash.startsWith("SHA3-")) {
+ mgfHash = mgfHash.replaceFirst("-", "_");
+ } else {
+ mgfHash = mgfHash.replaceFirst("-", "");
+ }
+ this.mgf = Functions.getMGFId("CKG_MGF1_" + mgfHash);
this.sLen = sLen;
}
diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
new file mode 100644
index 00000000000..d6707028d96
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8242332
+ * @summary Check that PKCS11 Hamc KeyGenerator picks appropriate default size
+ * @library /test/lib ..
+ * @modules jdk.crypto.cryptoki
+ * @run main/othervm HmacDefKeySizeTest
+ * @run main/othervm HmacDefKeySizeTest sm
+ */
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.util.List;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+public class HmacDefKeySizeTest extends PKCS11Test {
+
+ /**
+ * Request a KeyGenerator object from PKCS11 provider for Hmac algorithm,
+ * and generate the SecretKey.
+ *
+ * @param args the command line arguments
+ */
+ public static void main(String[] args) throws Exception {
+ main(new HmacDefKeySizeTest(), args);
+ }
+
+ @Override
+ public void main(Provider p) {
+ List<String> algorithms = getSupportedAlgorithms("KeyGenerator",
+ "Hmac", p);
+ boolean success = true;
+
+ for (String alg : algorithms) {
+ System.out.println("Testing " + alg);
+ try {
+ KeyGenerator kg = KeyGenerator.getInstance(alg, p);
+ SecretKey k1 = kg.generateKey();
+ int keysize = k1.getEncoded().length << 3;
+ System.out.println("=> default key size = " + keysize);
+ kg.init(keysize);
+ SecretKey k2 = kg.generateKey();
+ if ((k2.getEncoded().length << 3) != keysize) {
+ success = false;
+ System.out.println("keysize check failed");
+ }
+ } catch (Exception e) {
+ System.out.println("Unexpected exception: " + e);
+ e.printStackTrace();
+ success = false;
+ }
+ }
+
+ if (!success) {
+ throw new RuntimeException("One or more tests failed");
+ }
+ }
+}
diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
index b61d10beece..78b7d857e8e 100644
--- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
+++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 4917233 6461727 6490213 6720456
+ * @bug 4917233 6461727 6490213 6720456 8242332
* @summary test the KeyGenerator
* @author Andreas Sterbenz
* @library /test/lib ..
@@ -128,6 +128,18 @@ public class TestKeyGenerator extends PKCS11Test {
test("ARCFOUR", 40, p, TestResult.PASS);
test("ARCFOUR", 128, p, TestResult.PASS);
+ String[] HMAC_ALGS = {
+ "HmacSHA1", "HmacSHA224", "HmacSHA256", "HmacSHA384", "HmacSHA512",
+ "HmacSHA512/224", "HmacSHA512/256", "HmacSHA3-224", "HmacSHA3-256",
+ "HmacSHA3-384", "HmacSHA3-512",
+ };
+
+ for (String hmacAlg : HMAC_ALGS) {
+ test(hmacAlg, 0, p, TestResult.FAIL);
+ test(hmacAlg, 128, p, TestResult.PASS);
+ test(hmacAlg, 224, p, TestResult.PASS);
+ }
+
if (p.getName().equals("SunPKCS11-Solaris")) {
test("ARCFOUR", 1024, p, TestResult.TBD);
} else if (p.getName().equals("SunPKCS11-NSS")) {
diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
index 59af327c1f2..64c42a6dd06 100644
--- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
+++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 8048603
+ * @bug 8048603 8242332
* @summary Check if doFinal and update operation result in same Mac
* @author Yu-Ching Valerie Peng, Bill Situ, Alexander Fomin
* @library /test/lib ..
@@ -40,13 +40,15 @@ import java.security.Provider;
import java.security.SecureRandom;
import java.util.List;
import javax.crypto.Mac;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
public class MacSameTest extends PKCS11Test {
private static final int MESSAGE_SIZE = 25;
private static final int OFFSET = 5;
- private static final int KEY_SIZE = 70;
+ private static final int KEY_SIZE = 128;
/**
* Initialize a message, instantiate a Mac object,
@@ -67,9 +69,30 @@ public class MacSameTest extends PKCS11Test {
public void main(Provider p) {
List<String> algorithms = getSupportedAlgorithms("Mac", "Hmac", p);
boolean success = true;
+ SecureRandom srdm = new SecureRandom();
+
for (String alg : algorithms) {
+ // first try w/ java secret key object
+ byte[] keyVal = new byte[KEY_SIZE];
+ srdm.nextBytes(keyVal);
+ SecretKey skey = new SecretKeySpec(keyVal, alg);
+
+ try {
+ doTest(alg, skey, p);
+ } catch (Exception e) {
+ System.out.println("Unexpected exception: " + e);
+ e.printStackTrace();
+ success = false;
+ }
+
try {
- doTest(alg, p);
+ KeyGenerator kg = KeyGenerator.getInstance(alg, p);
+ kg.init(KEY_SIZE);
+ skey = kg.generateKey();
+ doTest(alg, skey, p);
+ } catch (NoSuchAlgorithmException nsae) {
+ System.out.println("Skip test using native key for " + alg);
+ continue;
} catch (Exception e) {
System.out.println("Unexpected exception: " + e);
e.printStackTrace();
@@ -82,7 +105,7 @@ public class MacSameTest extends PKCS11Test {
}
}
- private void doTest(String algo, Provider provider)
+ private void doTest(String algo, SecretKey key, Provider provider)
throws NoSuchAlgorithmException, NoSuchProviderException,
InvalidKeyException {
System.out.println("Test " + algo);
@@ -108,12 +131,7 @@ public class MacSameTest extends PKCS11Test {
byte[] tail = new byte[plain.length - OFFSET];
System.arraycopy(plain, OFFSET, tail, 0, tail.length);
- SecureRandom srdm = new SecureRandom();
- byte[] keyVal = new byte[KEY_SIZE];
- srdm.nextBytes(keyVal);
- SecretKeySpec keySpec = new SecretKeySpec(keyVal, "HMAC");
-
- mac.init(keySpec);
+ mac.init(key);
byte[] result1 = mac.doFinal(plain);
mac.reset();
diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
index 5cad8859840..7e045232e3a 100644
--- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
+++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 4856966
+ * @bug 4856966 8242332
* @summary
* @author Andreas Sterbenz
* @library /test/lib ..
@@ -35,6 +35,7 @@
import java.security.Provider;
import java.util.Random;
+import java.util.List;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
@@ -46,32 +47,49 @@ public class ReinitMac extends PKCS11Test {
@Override
public void main(Provider p) throws Exception {
- if (p.getService("Mac", "HmacMD5") == null) {
- System.out.println(p + " does not support HmacMD5, skipping");
- return;
- }
+ List<String> algorithms = getSupportedAlgorithms("Mac", "Hmac", p);
Random random = new Random();
- byte[] data1 = new byte[10 * 1024];
- random.nextBytes(data1);
- byte[] keyData = new byte[16];
- random.nextBytes(keyData);
- SecretKeySpec key = new SecretKeySpec(keyData, "Hmac");
- Mac mac = Mac.getInstance("HmacMD5", p);
+ byte[] data = new byte[10 * 1024];
+ random.nextBytes(data);
+ byte[] keyVal = new byte[16];
+ random.nextBytes(keyVal);
+
+ boolean success = true;
+ for (String alg : algorithms) {
+ try {
+ doTest(alg, p, keyVal, data);
+ } catch (Exception e) {
+ System.out.println("Unexpected exception: " + e);
+ e.printStackTrace();
+ success = false;
+ }
+ }
+
+ if (!success) {
+ throw new RuntimeException("Test failed");
+ } else {
+ System.out.println("All tests passed");
+ }
+ }
+
+ private void doTest(String alg, Provider p, byte[] keyVal, byte[] data)
+ throws Exception {
+ System.out.println("Testing " + alg);
+ SecretKeySpec key = new SecretKeySpec(keyVal, alg);
+ Mac mac = Mac.getInstance(alg, p);
mac.init(key);
mac.init(key);
- mac.update(data1);
+ mac.update(data);
mac.init(key);
mac.doFinal();
mac.doFinal();
- mac.update(data1);
+ mac.update(data);
mac.doFinal();
mac.reset();
mac.reset();
mac.init(key);
mac.reset();
- mac.update(data1);
+ mac.update(data);
mac.reset();
-
- System.out.println("All tests passed");
}
}
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
index 7ced00630cc..a7a72e8ea3d 100644
--- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
+++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 4856966 8080462
+ * @bug 4856966 8080462 8242332
* @summary Test the MessageDigest.update(ByteBuffer) method
* @author Andreas Sterbenz
* @library /test/lib ..
@@ -36,13 +36,10 @@ import java.nio.ByteBuffer;
import java.security.*;
import java.util.Arrays;
import java.util.Random;
+import java.util.List;
public class ByteBuffers extends PKCS11Test {
- static final String[] ALGS = {
- "SHA-224", "SHA-256", "SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256"
- };
-
private static Random random = new Random();
public static void main(String[] args) throws Exception {
@@ -51,6 +48,9 @@ public class ByteBuffers extends PKCS11Test {
@Override
public void main(Provider p) throws Exception {
+ List<String> ALGS = getSupportedAlgorithms("MessageDigest",
+ "SHA", p);
+
int n = 10 * 1024;
byte[] t = new byte[n];
random.nextBytes(t);
@@ -62,13 +62,7 @@ public class ByteBuffers extends PKCS11Test {
private void runTest(Provider p, String alg, byte[] data) throws Exception {
System.out.println("Test against " + p.getName() + " and " + alg);
- MessageDigest md;
- try {
- md = MessageDigest.getInstance(alg, p);
- } catch (NoSuchAlgorithmException e) {
- System.out.println("Skip " + alg + " due to no support");
- return;
- }
+ MessageDigest md = MessageDigest.getInstance(alg, p);
byte[] d1 = md.digest(data);
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
index ea7909bc397..268f698276b 100644
--- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
+++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 4856966
+ * @bug 4856966 8242332
* @summary
* @author Andreas Sterbenz
* @library /test/lib ..
@@ -37,6 +37,7 @@ import java.security.MessageDigest;
import java.security.Provider;
import java.util.Arrays;
import java.util.Random;
+import java.util.List;
public class ReinitDigest extends PKCS11Test {
@@ -46,19 +47,37 @@ public class ReinitDigest extends PKCS11Test {
@Override
public void main(Provider p) throws Exception {
- if (p.getService("MessageDigest", "MD5") == null) {
- System.out.println("Provider does not support MD5, skipping");
- return;
- }
+ List<String> ALGS = getSupportedAlgorithms("MessageDigest",
+ "SHA", p);
Random r = new Random();
byte[] data1 = new byte[10 * 1024];
byte[] data2 = new byte[10 * 1024];
r.nextBytes(data1);
r.nextBytes(data2);
- MessageDigest md;
- md = MessageDigest.getInstance("MD5", "SUN");
+
+ boolean success = true;
+ for (String alg : ALGS) {
+ try {
+ doTest(alg, p, data1, data2);
+ } catch (Exception e) {
+ System.out.println("Unexpected exception: " + e);
+ e.printStackTrace();
+ success = false;
+ }
+ }
+
+ if (!success) {
+ throw new RuntimeException("Test failed");
+ }
+ System.out.println("All tests passed");
+ }
+
+ private void doTest(String alg, Provider p, byte[] data1, byte[] data2)
+ throws Exception {
+ System.out.println("Testing " + alg);
+ MessageDigest md = MessageDigest.getInstance(alg, "SUN");
byte[] d1 = md.digest(data1);
- md = MessageDigest.getInstance("MD5", p);
+ md = MessageDigest.getInstance(alg, p);
byte[] d2 = md.digest(data1);
check(d1, d2);
byte[] d3 = md.digest(data1);
@@ -68,7 +87,6 @@ public class ReinitDigest extends PKCS11Test {
md.reset();
byte[] d4 = md.digest(data1);
check(d1, d4);
- System.out.println("All tests passed");
}
private static void check(byte[] d1, byte[] d2) throws Exception {
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
index b931c8564b2..ace601c7233 100644
--- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
+++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 6414899
+ * @bug 6414899 8242332
* @summary Ensure the cloning functionality works.
* @author Valerie Peng
* @library /test/lib ..
@@ -37,13 +37,10 @@ import java.security.MessageDigest;
import java.security.Provider;
import java.util.Arrays;
import java.util.Random;
+import java.util.List;
public class TestCloning extends PKCS11Test {
- private static final String[] ALGOS = {
- "MD2", "MD5", "SHA1", "SHA-224", "SHA-256", "SHA-384", "SHA-512"
- };
-
public static void main(String[] args) throws Exception {
main(new TestCloning(), args);
}
@@ -51,44 +48,28 @@ public class TestCloning extends PKCS11Test {
private static final byte[] data1 = new byte[10];
private static final byte[] data2 = new byte[10*1024];
-
@Override
public void main(Provider p) throws Exception {
+ List<String> ALGS = getSupportedAlgorithms("MessageDigest", "SHA", p);
Random r = new Random();
byte[] data1 = new byte[10];
byte[] data2 = new byte[2*1024];
r.nextBytes(data1);
r.nextBytes(data2);
System.out.println("Testing against provider " + p.getName());
- for (int i = 0; i < ALGOS.length; i++) {
- if (p.getService("MessageDigest", ALGOS[i]) == null) {
- System.out.println(ALGOS[i] + " is not supported, skipping");
- continue;
- } else {
- System.out.println("Testing " + ALGOS[i] + " of " + p.getName());
- MessageDigest md = MessageDigest.getInstance(ALGOS[i], p);
- try {
- md = testCloning(md, p);
- // repeat the test again after generating digest once
- for (int j = 0; j < 10; j++) {
- md = testCloning(md, p);
- }
- } catch (Exception ex) {
- if (ALGOS[i] == "MD2" &&
- p.getName().equalsIgnoreCase("SunPKCS11-NSS")) {
- // known bug in NSS; ignore for now
- System.out.println("Ignore Known bug in MD2 of NSS");
- continue;
- }
- throw ex;
- }
+ for (String alg : ALGS) {
+ System.out.println("Testing " + alg);
+ MessageDigest md = MessageDigest.getInstance(alg, p);
+ md = testCloning(md, p);
+ // repeat the test again after generating digest once
+ for (int j = 0; j < 10; j++) {
+ md = testCloning(md, p);
}
}
}
private static MessageDigest testCloning(MessageDigest mdObj, Provider p)
- throws Exception {
-
+ throws Exception {
// copy#0: clone at state BLANK w/o any data
MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
index 26eeacffed9..f5de994779c 100644
--- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
+++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 4856966
+ * @bug 4856966 8242332
* @summary Test the Signature.update(ByteBuffer) method
* @author Andreas Sterbenz
* @library /test/lib ..
@@ -70,10 +70,10 @@ public class ByteBuffers extends PKCS11Test {
random.nextBytes(t);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
- kpg.initialize(512);
+ kpg.initialize(2048);
KeyPair kp = kpg.generateKeyPair();
- Signature sig = Signature.getInstance("MD5withRSA", p);
+ Signature sig = Signature.getInstance("SHA256withRSA", p);
sig.initSign(kp.getPrivate());
sig.update(t);
byte[] signature = sig.sign();
diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
index ccd66599fb0..a2fa7294977 100644
--- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
+++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,7 @@ import java.security.spec.*;
/**
* @test
- * @bug 8080462
+ * @bug 8080462 8242332
* @summary Make sure old state is cleared when init is called again
* @library /test/lib ..
* @modules jdk.crypto.cryptoki
@@ -38,18 +38,22 @@ public class InitAgainPSS extends PKCS11Test {
@Override
public void main(Provider p) throws Exception {
+ test("RSASSA-PSS", p);
+ }
+
+ private void test(String sigAlg, Provider p) throws Exception {
Signature s1;
try {
- s1 = Signature.getInstance("RSASSA-PSS", p);
+ s1 = Signature.getInstance(sigAlg, p);
} catch (NoSuchAlgorithmException e) {
- System.out.println("Skip testing RSASSA-PSS" +
+ System.out.println("Skip testing " + sigAlg +
" due to no support");
return;
}
byte[] msg = "hello".getBytes();
- Signature s2 = Signature.getInstance("RSASSA-PSS", p);
+ Signature s2 = Signature.getInstance(sigAlg, p);
PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1",
new MGF1ParameterSpec("SHA-256"), 32,
diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
index 2e4fedbf1d5..f1c0492b5fc 100644
--- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
+++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,7 @@ import java.security.spec.*;
/**
* @test
- * @bug 8080462 8226651
+ * @bug 8080462 8226651 8242332
* @summary Ensure that PSS key and params check are implemented properly
* regardless of call sequence
* @library /test/lib ..
@@ -55,6 +55,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
" due to no support");
return;
}
+
// NOTE: key length >= (digest length + 2) in bytes
// otherwise, even salt length = 0 would not work
runTest(p, 1024, "SHA-256", "SHA-256");
@@ -66,10 +67,30 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
runTest(p, 1040, "SHA-512", "SHA-256");
runTest(p, 1040, "SHA-512", "SHA-384");
runTest(p, 1040, "SHA-512", "SHA-512");
+ runTest(p, 1024, "SHA3-256", "SHA3-256");
+ runTest(p, 1024, "SHA3-256", "SHA3-384");
+ runTest(p, 1024, "SHA3-256", "SHA3-512");
+ runTest(p, 1024, "SHA3-384", "SHA3-256");
+ runTest(p, 1024, "SHA3-384", "SHA3-384");
+ runTest(p, 1024, "SHA3-384", "SHA3-512");
+ runTest(p, 1040, "SHA3-512", "SHA3-256");
+ runTest(p, 1040, "SHA3-512", "SHA3-384");
+ runTest(p, 1040, "SHA3-512", "SHA3-512");
}
private void runTest(Provider p, int keySize, String hashAlg,
String mgfHashAlg) throws Exception {
+
+ // skip further test if this provider does not support hashAlg or
+ // mgfHashAlg
+ try {
+ MessageDigest.getInstance(hashAlg, p);
+ MessageDigest.getInstance(mgfHashAlg, p);
+ } catch (NoSuchAlgorithmException nsae) {
+ System.out.println("No support for " + hashAlg + ", skip");
+ return;
+ }
+
System.out.println("Testing [" + keySize + " " + hashAlg + "]");
// create a key pair with the supplied size
@@ -95,6 +116,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
} catch (InvalidKeyException ike) {
System.out.println("test#1: got expected IKE");
}
+
sig.setParameter(paramsGood);
sig.initSign(priv);
System.out.println("test#1: pass");
@@ -108,8 +130,10 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
} catch (InvalidKeyException ike) {
System.out.println("test#2: got expected IKE");
}
+
sig.setParameter(paramsGood);
sig.initVerify(pub);
+
System.out.println("test#2: pass");
// test#3 - initSign, then setParameter
@@ -121,6 +145,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
} catch (InvalidAlgorithmParameterException iape) {
System.out.println("test#3: got expected IAPE");
}
+
sig.setParameter(paramsGood);
System.out.println("test#3: pass");
@@ -133,6 +158,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
} catch (InvalidAlgorithmParameterException iape) {
System.out.println("test#4: got expected IAPE");
}
+
sig.setParameter(paramsGood);
System.out.println("test#4: pass");
}
diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
index 42ca7fa203d..8c132ca7e4f 100644
--- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
+++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
@@ -23,312 +23,13 @@
/*
* @test
- * @bug 4856966
+ * @bug 4856966 8242332
* @summary test that reinitializing Signatures works correctly
* @author Andreas Sterbenz
* @library /test/lib ..
* @key randomness
* @modules jdk.crypto.cryptoki
* @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
- * @run main ReinitSignature
*/
import java.security.KeyPair;
@@ -363,11 +64,11 @@ public class ReinitSignature extends PKCS11Test {
}
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
- kpg.initialize(512);
+ kpg.initialize(2048);
KeyPair kp = kpg.generateKeyPair();
PrivateKey privateKey = kp.getPrivate();
PublicKey publicKey = kp.getPublic();
- Signature sig = Signature.getInstance("MD5withRSA", p);
+ Signature sig = Signature.getInstance("SHA256withRSA", p);
byte[] data = new byte[10 * 1024];
new Random().nextBytes(data);
sig.initSign(privateKey);
diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
index 3c3edb5aa6a..11147022771 100644
--- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
+++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,7 +27,7 @@ import java.security.interfaces.*;
/*
* @test
- * @bug 8080462 8226651
+ * @bug 8080462 8226651 8242332
* @summary testing interoperability of PSS signatures of PKCS11 provider
* against SunRsaSign provider
* @library /test/lib ..
diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
new file mode 100644
index 00000000000..b8ea9863327
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+
+/*
+ * @test
+ * @bug 8080462 8226651 8242332
+ * @summary testing interoperability of PSS signatures of PKCS11 provider
+ * against SunRsaSign provider
+ * @library /test/lib ..
+ * @modules jdk.crypto.cryptoki
+ * @run main/othervm SigInteropPSS2
+ */
+public class SigInteropPSS2 extends PKCS11Test {
+
+ private static final byte[] MSG =
+ "Interoperability test between SunRsaSign and SunPKCS11".getBytes();
+
+ private static final String[] DIGESTS = {
+ "SHA224", "SHA256", "SHA384", "SHA512",
+ "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
+ };
+
+ public static void main(String[] args) throws Exception {
+ main(new SigInteropPSS2(), args);
+ }
+
+ @Override
+ public void main(Provider p) throws Exception {
+
+ Signature sigPkcs11;
+ Signature sigSunRsaSign =
+ Signature.getInstance("RSASSA-PSS", "SunRsaSign");
+
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
+ kpg.initialize(3072);
+ KeyPair kp = kpg.generateKeyPair();
+
+ for (String digest : DIGESTS) {
+ try {
+ sigPkcs11 = Signature.getInstance(digest + "withRSASSA-PSS", p);
+ } catch (NoSuchAlgorithmException e) {
+ System.out.println("Skip testing " + digest + "withRSASSA-PSS" +
+ " due to no support");
+ continue;
+ }
+
+ runTest(sigPkcs11, sigSunRsaSign, kp);
+ }
+ System.out.println("Test passed");
+ }
+
+ static void runTest(Signature signer, Signature verifier, KeyPair kp)
+ throws Exception {
+ System.out.println("\tSign: " + signer.getProvider().getName());
+ System.out.println("\tVerify: " + verifier.getProvider().getName());
+
+ signer.initSign(kp.getPrivate());
+ signer.update(MSG);
+ byte[] sigBytes = signer.sign();
+
+ AlgorithmParameters signParams = signer.getParameters();
+ verifier.setParameter(signParams.getParameterSpec
+ (PSSParameterSpec.class));
+ verifier.initVerify(kp.getPublic());
+
+ verifier.update(MSG);
+ boolean isValid = verifier.verify(sigBytes);
+ if (isValid) {
+ System.out.println("\tPSS Signature verified");
+ } else {
+ throw new RuntimeException("ERROR verifying PSS Signature");
+ }
+ }
+}
diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
index 3a6dbe345e9..4c1f7284bbc 100644
--- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
+++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,7 +27,7 @@ import java.util.stream.IntStream;
/**
* @test
- * @bug 8080462 8226651
+ * @bug 8080462 8226651 8242332
* @summary Generate a RSASSA-PSS signature and verify it using PKCS11 provider
* @library /test/lib ..
* @modules jdk.crypto.cryptoki
@@ -40,8 +40,10 @@ public class SignatureTestPSS extends PKCS11Test {
private static final String SIGALG = "RSASSA-PSS";
private static final int[] KEYSIZES = { 2048, 3072 };
- private static final String[] DIGESTS = { "SHA-224", "SHA-256",
- "SHA-384" , "SHA-512" };
+ private static final String[] DIGESTS = {
+ "SHA-224", "SHA-256", "SHA-384" , "SHA-512",
+ "SHA3-224", "SHA3-256", "SHA3-384" , "SHA3-512",
+ };
private Provider prov;
/**
@@ -115,7 +117,22 @@ public class SignatureTestPSS extends PKCS11Test {
throws NoSuchAlgorithmException, InvalidKeyException,
SignatureException, NoSuchProviderException,
InvalidAlgorithmParameterException {
- System.out.println("Testing against " + hash + " and MGF1_" + mgfHash);
+
+ String testName = hash + " and MGF1_" + mgfHash;
+ // only test RSASSA-PSS signature against the supplied hash/mgfHash
+ // if they are supported; otherwise PKCS11 library will throw
+ // CKR_MECHANISM_PARAM_INVALID at Signature.initXXX calls
+ try {
+ MessageDigest md = MessageDigest.getInstance(hash, prov);
+ if (!hash.equalsIgnoreCase(mgfHash)) {
+ md = MessageDigest.getInstance(mgfHash, prov);
+ }
+ } catch (NoSuchAlgorithmException nsae) {
+ System.out.println("Skip testing " + hash + "/" + mgfHash);
+ return;
+ }
+
+ System.out.println("Testing against " + testName);
Signature sig = Signature.getInstance(SIGALG, prov);
AlgorithmParameterSpec params = new PSSParameterSpec(
hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1);
diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
new file mode 100644
index 00000000000..516b17972e5
--- /dev/null
+++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+import java.security.*;
+import java.security.interfaces.*;
+import java.security.spec.*;
+import java.util.stream.IntStream;
+
+/**
+ * @test
+ * @bug 8244154 8242332
+ * @summary Generate a <digest>withRSASSA-PSS signature and verify it using
+ * PKCS11 provider
+ * @library /test/lib ..
+ * @modules jdk.crypto.cryptoki
+ * @run main SignatureTestPSS2
+ */
+public class SignatureTestPSS2 extends PKCS11Test {
+
+ // PKCS11 does not support RSASSA-PSS keys yet
+ private static final String KEYALG = "RSA";
+ private static final String[] SIGALGS = {
+ "SHA224withRSASSA-PSS", "SHA256withRSASSA-PSS",
+ "SHA384withRSASSA-PSS", "SHA512withRSASSA-PSS",
+ "SHA3-224withRSASSA-PSS", "SHA3-256withRSASSA-PSS",
+ "SHA3-384withRSASSA-PSS", "SHA3-512withRSASSA-PSS"
+ };
+
+ private static final int[] KEYSIZES = { 2048, 3072 };
+
+ /**
+ * How much times signature updated.
+ */
+ private static final int UPDATE_TIMES = 2;
+
+ public static void main(String[] args) throws Exception {
+ main(new SignatureTestPSS2(), args);
+ }
+
+ @Override
+ public void main(Provider p) throws Exception {
+ for (String sa : SIGALGS) {
+ Signature sig;
+ try {
+ sig = Signature.getInstance(sa, p);
+ } catch (NoSuchAlgorithmException e) {
+ System.out.println("Skip testing " + sa +
+ " due to no support");
+ return;
+ }
+ for (int i : KEYSIZES) {
+ runTest(sig, i);
+ }
+ }
+ }
+
+ private static void runTest(Signature s, int keySize) throws Exception {
+ byte[] data = new byte[100];
+ IntStream.range(0, data.length).forEach(j -> {
+ data[j] = (byte) j;
+ });
+ System.out.println("[KEYSIZE = " + keySize + "]");
+
+ // create a key pair
+ KeyPair kpair = generateKeys(KEYALG, keySize, s.getProvider());
+ test(s, kpair.getPrivate(), kpair.getPublic(), data);
+ }
+
+ private static void test(Signature sig, PrivateKey privKey,
+ PublicKey pubKey, byte[] data) throws RuntimeException {
+ // For signature algorithm, create and verify a signature
+ try {
+ checkSignature(sig, privKey, pubKey, data);
+ } catch (NoSuchAlgorithmException | InvalidKeyException |
+ SignatureException | NoSuchProviderException ex) {
+ throw new RuntimeException(ex);
+ } catch (InvalidAlgorithmParameterException ex2) {
+ System.out.println("Skip test due to " + ex2);
+ }
+ }
+
+ private static KeyPair generateKeys(String keyalg, int size, Provider p)
+ throws NoSuchAlgorithmException {
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyalg, p);
+ kpg.initialize(size);
+ return kpg.generateKeyPair();
+ }
+
+ private static void checkSignature(Signature sig, PrivateKey priv,
+ PublicKey pub, byte[] data) throws NoSuchAlgorithmException,
+ InvalidKeyException, SignatureException, NoSuchProviderException,
+ InvalidAlgorithmParameterException {
+ System.out.println("Testing against " + sig.getAlgorithm());
+ sig.initSign(priv);
+ for (int i = 0; i < UPDATE_TIMES; i++) {
+ sig.update(data);
+ }
+ byte[] signedData = sig.sign();
+
+ // Make sure signature verifies with original data
+ // do we need to call sig.setParameter(params) again?
+ sig.initVerify(pub);
+ for (int i = 0; i < UPDATE_TIMES; i++) {
+ sig.update(data);
+ }
+ if (!sig.verify(signedData)) {
+ throw new RuntimeException("Failed to verify signature");
+ }
+
+ // Make sure signature does NOT verify when the original data
+ // has changed
+ sig.initVerify(pub);
+ for (int i = 0; i < UPDATE_TIMES + 1; i++) {
+ sig.update(data);
+ }
+
+ if (sig.verify(signedData)) {
+ throw new RuntimeException("Failed to detect bad signature");
+ }
+ }
+}
diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
index 222f8a2a5ed..3161de6fc50 100644
--- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
+++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -22,7 +22,7 @@
*/
/*
* @test
- * @bug 8080462
+ * @bug 8080462 8242332
* @library /test/lib ..
* @modules jdk.crypto.cryptoki
* @run main/othervm/timeout=250 TestDSA2
@@ -40,8 +40,12 @@ public class TestDSA2 extends PKCS11Test {
private static final String[] SIG_ALGOS = {
"SHA224withDSA",
"SHA256withDSA",
- //"SHA384withDSA",
- //"SHA512withDSA",
+ "SHA3-224withDSA",
+ "SHA3-256withDSA",
+ "SHA384withDSA",
+ "SHA512withDSA",
+ "SHA3-384withDSA",
+ "SHA3-512withDSA",
};
private static final int KEYSIZE = 2048;
@@ -59,25 +63,33 @@ public class TestDSA2 extends PKCS11Test {
kp = kpg.generateKeyPair();
} catch (Exception ex) {
System.out.println("Skip due to no 2048-bit DSA support: " + ex);
- ex.printStackTrace();
return;
}
+ boolean allPass = true;
for (String sigAlg : SIG_ALGOS) {
- test(sigAlg, kp, p);
+ System.out.println("Testing " + sigAlg);
+ try {
+ Signature sig = Signature.getInstance(sigAlg, p);
+ test(sig, kp, p);
+ } catch (NoSuchAlgorithmException nsae) {
+ System.out.println("=>Skip due to no support");
+ } catch (Exception ex) {
+ System.out.println("Unexpected exception when testing " +
+ sigAlg);
+ ex.printStackTrace();
+ allPass = false;
+ }
+ }
+ if (allPass) {
+ System.out.println("Tests Passed");
+ } else {
+ throw new RuntimeException("One or more tests failed");
}
}
- private static void test(String sigAlg, KeyPair kp, Provider p)
+ private static void test(Signature sig, KeyPair kp, Provider p)
throws Exception {
- Signature sig;
- try {
- sig = Signature.getInstance(sigAlg, p);
- } catch (Exception ex) {
- System.out.println("Skip due to no support: " + sigAlg);
- ex.printStackTrace();
- return;
- }
byte[] data = "anything will do".getBytes();
@@ -85,9 +97,10 @@ public class TestDSA2 extends PKCS11Test {
sig.update(data);
byte[] signature = sig.sign();
- sig.initVerify(kp.getPublic());
- sig.update(data);
- boolean verifies = sig.verify(signature);
- System.out.println(sigAlg + ": Passed");
+ Signature sigV = Signature.getInstance(sig.getAlgorithm() , p);
+ sigV.initVerify(kp.getPublic());
+ sigV.update(data);
+ boolean verifies = sigV.verify(signature);
+ System.out.println("=> Passed");
}
}
diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
index f469ca17b65..7e5a012a5ec 100644
--- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
+++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
@@ -22,8 +22,8 @@
*/
/*
- * @test %W% %E%
- * @bug 6695485
+ * @test
+ * @bug 6695485 8242332
* @summary Make sure initSign/initVerify() check RSA key lengths
* @author Yu-Ching Valerie Peng
* @library /test/lib ..
@@ -65,9 +65,14 @@ public class TestRSAKeyLength extends PKCS11Test {
return;
}
- boolean isValidKeyLength[] = { true, true, true, false, false };
- String algos[] = { "SHA1withRSA", "SHA224withRSA", "SHA256withRSA",
- "SHA384withRSA", "SHA512withRSA" };
+ boolean isValidKeyLength[] = {
+ true, true, true, false, false, true, true, false, false
+ };
+ String algos[] = {
+ "SHA1withRSA", "SHA224withRSA", "SHA256withRSA",
+ "SHA384withRSA", "SHA512withRSA", "SHA3-224withRSA",
+ "SHA3-256withRSA", "SHA3-384withRSA", "SHA3-512withRSA"
+ };
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
kpg.initialize(512);
KeyPair kp = kpg.generateKeyPair();
diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
index 49778ea954c..576b1dc4d69 100644
--- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
+++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
@@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib}
nssArgs = "configdir='${pkcs11test.nss.db}' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly"
-# HMAC_SHA256/384/512 broken until NSS 3.10.2
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=291858
disabledMechanisms = {
- CKM_SHA256_HMAC
- CKM_SHA384_HMAC
- CKM_SHA512_HMAC
+ CKM_DSA_SHA224
+ CKM_DSA_SHA256
+ CKM_DSA_SHA384
+ CKM_DSA_SHA512
+ CKM_DSA_SHA3_224
+ CKM_DSA_SHA3_256
+ CKM_DSA_SHA3_384
+ CKM_DSA_SHA3_512
+ CKM_ECDSA_SHA224
+ CKM_ECDSA_SHA256
+ CKM_ECDSA_SHA384
+ CKM_ECDSA_SHA512
+ CKM_ECDSA_SHA3_224
+ CKM_ECDSA_SHA3_256
+ CKM_ECDSA_SHA3_384
+ CKM_ECDSA_SHA3_512
}
attributes = compatibility