354f2edc44
Rewrite ELF files so the source file path is correct and debugsources can be assembled Backport SHA-3 support for PKCS11 provider Sync patch set with portable build we are using by removing rh1648644-java_access_bridge_privileged_security.patch Related: RHEL-30918
2732 lines
107 KiB
Diff
2732 lines
107 KiB
Diff
commit 81c2107a9188680f7c35ebc7697b292d5972436e
|
|
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
|
Date: Mon Feb 27 13:22:43 2023 +0000
|
|
|
|
Backport 78be334c3817a1b5840922a9bf1339a40dcc5185
|
|
|
|
diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
|
|
index 92ecb9adc0c..a5848c96aad 100644
|
|
--- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java
|
|
+++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java
|
|
@@ -155,6 +155,14 @@ public enum KnownOIDs {
|
|
SHA256withDSA("2.16.840.1.101.3.4.3.2"),
|
|
SHA384withDSA("2.16.840.1.101.3.4.3.3"),
|
|
SHA512withDSA("2.16.840.1.101.3.4.3.4"),
|
|
+ SHA3_224withDSA("2.16.840.1.101.3.4.3.5", "SHA3-224withDSA"),
|
|
+ SHA3_256withDSA("2.16.840.1.101.3.4.3.6", "SHA3-256withDSA"),
|
|
+ SHA3_384withDSA("2.16.840.1.101.3.4.3.7", "SHA3-384withDSA"),
|
|
+ SHA3_512withDSA("2.16.840.1.101.3.4.3.8", "SHA3-512withDSA"),
|
|
+ SHA3_224withECDSA("2.16.840.1.101.3.4.3.9", "SHA3-224withECDSA"),
|
|
+ SHA3_256withECDSA("2.16.840.1.101.3.4.3.10", "SHA3-256withECDSA"),
|
|
+ SHA3_384withECDSA("2.16.840.1.101.3.4.3.11", "SHA3-384withECDSA"),
|
|
+ SHA3_512withECDSA("2.16.840.1.101.3.4.3.12", "SHA3-512withECDSA"),
|
|
SHA3_224withRSA("2.16.840.1.101.3.4.3.13", "SHA3-224withRSA"),
|
|
SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"),
|
|
SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"),
|
|
diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
|
|
index 32c089fd96d..7d5c0c7e299 100644
|
|
--- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java
|
|
+++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
|
|
@@ -168,4 +168,22 @@ public class SignatureUtil {
|
|
InvalidKeyException {
|
|
SharedSecrets.getJavaSecuritySignatureAccess().initSign(s, key, params, sr);
|
|
}
|
|
+
|
|
+ /**
|
|
+ * Extracts the digest algorithm name from a signature
|
|
+ * algorithm name in either the "DIGESTwithENCRYPTION" or the
|
|
+ * "DIGESTwithENCRYPTIONandWHATEVER" format.
|
|
+ *
|
|
+ * It's OK to return "SHA1" instead of "SHA-1".
|
|
+ */
|
|
+ public static String extractDigestAlgFromDwithE(String signatureAlgorithm) {
|
|
+ signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH);
|
|
+ int with = signatureAlgorithm.indexOf("WITH");
|
|
+ if (with > 0) {
|
|
+ return signatureAlgorithm.substring(0, with);
|
|
+ } else {
|
|
+ throw new IllegalArgumentException(
|
|
+ "Unknown algorithm: " + signatureAlgorithm);
|
|
+ }
|
|
+ }
|
|
}
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
|
|
index 41fe61b8a16..daf0bc9f69c 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -41,7 +41,8 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
|
|
/**
|
|
* MessageDigest implementation class. This class currently supports
|
|
- * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
|
|
+ * MD2, MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512)
|
|
+ * and SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) of digests.
|
|
*
|
|
* Note that many digest operations are on fairly small amounts of data
|
|
* (less than 100 bytes total). For example, the 2nd hashing in HMAC or
|
|
@@ -104,16 +105,20 @@ final class P11Digest extends MessageDigestSpi implements Cloneable,
|
|
break;
|
|
case (int)CKM_SHA224:
|
|
case (int)CKM_SHA512_224:
|
|
+ case (int)CKM_SHA3_224:
|
|
digestLength = 28;
|
|
break;
|
|
case (int)CKM_SHA256:
|
|
case (int)CKM_SHA512_256:
|
|
+ case (int)CKM_SHA3_256:
|
|
digestLength = 32;
|
|
break;
|
|
case (int)CKM_SHA384:
|
|
+ case (int)CKM_SHA3_384:
|
|
digestLength = 48;
|
|
break;
|
|
case (int)CKM_SHA512:
|
|
+ case (int)CKM_SHA3_512:
|
|
digestLength = 64;
|
|
break;
|
|
default:
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
|
|
index 926414608cb..f343e6025e1 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java
|
|
@@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
|
|
/**
|
|
* KeyGenerator implementation class. This class currently supports
|
|
- * DES, DESede, AES, ARCFOUR, and Blowfish.
|
|
+ * DES, DESede, AES, ARCFOUR, Blowfish, Hmac using MD5, SHA, SHA-2 family
|
|
+ * (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256), and SHA-3
|
|
+ * family (SHA3-224, SHA3-256, SHA3-384, SHA3-512) of digests.
|
|
*
|
|
* @author Andreas Sterbenz
|
|
* @since 1.5
|
|
@@ -65,6 +67,48 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
// are supported.
|
|
private boolean supportBothKeySizes;
|
|
|
|
+ // for determining if the specified key size is valid
|
|
+ private final CK_MECHANISM_INFO range;
|
|
+
|
|
+ // utility method for query the native key sizes and enforcing the
|
|
+ // java-specific lower limit; returned values are in bits
|
|
+ private static CK_MECHANISM_INFO getSupportedRange(Token token,
|
|
+ long mech) throws ProviderException {
|
|
+ // No need to query for fix-length algorithms
|
|
+ if (mech == CKM_DES_KEY_GEN || mech == CKM_DES2_KEY_GEN ||
|
|
+ mech == CKM_DES3_KEY_GEN) {
|
|
+ return null;
|
|
+ }
|
|
+
|
|
+ // Explicitly disallow keys shorter than 40-bits for security
|
|
+ int lower = 40;
|
|
+ int upper = Integer.MAX_VALUE;
|
|
+ try {
|
|
+ CK_MECHANISM_INFO info = token.getMechanismInfo(mech);
|
|
+ if (info != null) {
|
|
+ boolean isBytes = ((mech != CKM_GENERIC_SECRET_KEY_GEN
|
|
+ && mech != CKM_RC4_KEY_GEN) || info.iMinKeySize < 8);
|
|
+ lower = Math.max(lower, (isBytes?
|
|
+ Math.multiplyExact(info.iMinKeySize, 8) :
|
|
+ info.iMinKeySize));
|
|
+ // NSS CKM_GENERIC_SECRET_KEY_GEN mech info is not precise;
|
|
+ // its upper limit is too low and does not match its impl
|
|
+ if (mech == CKM_GENERIC_SECRET_KEY_GEN &&
|
|
+ info.iMaxKeySize <= 32) {
|
|
+ // ignore and leave upper limit at MAX_VALUE;
|
|
+ } else if (info.iMaxKeySize != Integer.MAX_VALUE) {
|
|
+ upper = (isBytes?
|
|
+ Math.multiplyExact(info.iMaxKeySize, 8) :
|
|
+ info.iMaxKeySize);
|
|
+ }
|
|
+ }
|
|
+ } catch (PKCS11Exception p11e) {
|
|
+ // Should never happen
|
|
+ throw new ProviderException("Cannot retrieve mechanism info", p11e);
|
|
+ }
|
|
+ return new CK_MECHANISM_INFO(lower, upper, 0 /* flags not used */);
|
|
+ }
|
|
+
|
|
/**
|
|
* Utility method for checking if the specified key size is valid
|
|
* and within the supported range. Return the significant key size
|
|
@@ -78,8 +122,15 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
* @throws ProviderException if this mechanism isn't supported by SunPKCS11
|
|
* or underlying native impl.
|
|
*/
|
|
+ // called by P11SecretKeyFactory to check key size
|
|
static int checkKeySize(long keyGenMech, int keySize, Token token)
|
|
throws InvalidAlgorithmParameterException, ProviderException {
|
|
+ CK_MECHANISM_INFO range = getSupportedRange(token, keyGenMech);
|
|
+ return checkKeySize(keyGenMech, keySize, range);
|
|
+ }
|
|
+
|
|
+ private static int checkKeySize(long keyGenMech, int keySize,
|
|
+ CK_MECHANISM_INFO range) throws InvalidAlgorithmParameterException {
|
|
int sigKeySize;
|
|
switch ((int)keyGenMech) {
|
|
case (int)CKM_DES_KEY_GEN:
|
|
@@ -102,45 +153,17 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
break;
|
|
default:
|
|
// Handle all variable-key-length algorithms here
|
|
- CK_MECHANISM_INFO info = null;
|
|
- try {
|
|
- info = token.getMechanismInfo(keyGenMech);
|
|
- } catch (PKCS11Exception p11e) {
|
|
- // Should never happen
|
|
- throw new ProviderException
|
|
- ("Cannot retrieve mechanism info", p11e);
|
|
- }
|
|
- if (info == null) {
|
|
- // XXX Unable to retrieve the supported key length from
|
|
- // the underlying native impl. Skip the checking for now.
|
|
- return keySize;
|
|
- }
|
|
- // PKCS#11 defines these to be in number of bytes except for
|
|
- // RC4 which is in bits. However, some PKCS#11 impls still use
|
|
- // bytes for all mechs, e.g. NSS. We try to detect this
|
|
- // inconsistency if the minKeySize seems unreasonably small.
|
|
- int minKeySize = info.iMinKeySize;
|
|
- int maxKeySize = info.iMaxKeySize;
|
|
- if (keyGenMech != CKM_RC4_KEY_GEN || minKeySize < 8) {
|
|
- minKeySize = Math.multiplyExact(minKeySize, 8);
|
|
- if (maxKeySize != Integer.MAX_VALUE) {
|
|
- maxKeySize = Math.multiplyExact(maxKeySize, 8);
|
|
- }
|
|
- }
|
|
- // Explicitly disallow keys shorter than 40-bits for security
|
|
- if (minKeySize < 40) minKeySize = 40;
|
|
- if (keySize < minKeySize || keySize > maxKeySize) {
|
|
+ if (range != null && keySize < range.iMinKeySize
|
|
+ || keySize > range.iMaxKeySize) {
|
|
throw new InvalidAlgorithmParameterException
|
|
- ("Key length must be between " + minKeySize +
|
|
- " and " + maxKeySize + " bits");
|
|
+ ("Key length must be between " + range.iMinKeySize +
|
|
+ " and " + range.iMaxKeySize + " bits");
|
|
}
|
|
if (keyGenMech == CKM_AES_KEY_GEN) {
|
|
if ((keySize != 128) && (keySize != 192) &&
|
|
(keySize != 256)) {
|
|
throw new InvalidAlgorithmParameterException
|
|
- ("AES key length must be " + minKeySize +
|
|
- (maxKeySize >= 192? ", 192":"") +
|
|
- (maxKeySize >= 256? ", or 256":"") + " bits");
|
|
+ ("AES key length must be 128, 192, or 256 bits");
|
|
}
|
|
}
|
|
sigKeySize = keySize;
|
|
@@ -148,6 +171,20 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
return sigKeySize;
|
|
}
|
|
|
|
+ // check the supplied keysize (in bits) and adjust it based on the given
|
|
+ // range
|
|
+ private static int adjustKeySize(int ks, CK_MECHANISM_INFO mi) {
|
|
+ // adjust to fit within the supported range
|
|
+ if (mi != null) {
|
|
+ if (ks < mi.iMinKeySize) {
|
|
+ ks = mi.iMinKeySize;
|
|
+ } else if (ks > mi.iMaxKeySize) {
|
|
+ ks = mi.iMaxKeySize;
|
|
+ }
|
|
+ }
|
|
+ return ks;
|
|
+ }
|
|
+
|
|
P11KeyGenerator(Token token, String algorithm, long mechanism)
|
|
throws PKCS11Exception {
|
|
super();
|
|
@@ -164,54 +201,140 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
(token.provider.config.isEnabled(CKM_DES2_KEY_GEN) &&
|
|
(token.getMechanismInfo(CKM_DES2_KEY_GEN) != null));
|
|
}
|
|
- setDefaultKeySize();
|
|
+ this.range = getSupportedRange(token, mechanism);
|
|
+ setDefault();
|
|
}
|
|
|
|
- // set default keysize and also initialize keyType
|
|
- private void setDefaultKeySize() {
|
|
+ // set default keysize and keyType
|
|
+ private void setDefault() {
|
|
+ significantKeySize = -1;
|
|
switch ((int)mechanism) {
|
|
case (int)CKM_DES_KEY_GEN:
|
|
keySize = 64;
|
|
keyType = CKK_DES;
|
|
+ significantKeySize = 56;
|
|
break;
|
|
case (int)CKM_DES2_KEY_GEN:
|
|
keySize = 128;
|
|
keyType = CKK_DES2;
|
|
+ significantKeySize = 112;
|
|
break;
|
|
case (int)CKM_DES3_KEY_GEN:
|
|
keySize = 192;
|
|
keyType = CKK_DES3;
|
|
+ significantKeySize = 168;
|
|
break;
|
|
case (int)CKM_AES_KEY_GEN:
|
|
- keySize = 128;
|
|
+ keySize = adjustKeySize(128, range);
|
|
keyType = CKK_AES;
|
|
break;
|
|
case (int)CKM_RC4_KEY_GEN:
|
|
- keySize = 128;
|
|
+ keySize = adjustKeySize(128, range);
|
|
keyType = CKK_RC4;
|
|
break;
|
|
case (int)CKM_BLOWFISH_KEY_GEN:
|
|
- keySize = 128;
|
|
+ keySize = adjustKeySize(128, range);
|
|
keyType = CKK_BLOWFISH;
|
|
break;
|
|
case (int)CKM_CHACHA20_KEY_GEN:
|
|
keySize = 256;
|
|
keyType = CKK_CHACHA20;
|
|
break;
|
|
+ case (int)CKM_SHA_1_KEY_GEN:
|
|
+ keySize = adjustKeySize(160, range);
|
|
+ keyType = CKK_SHA_1_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA224_KEY_GEN:
|
|
+ keySize = adjustKeySize(224, range);
|
|
+ keyType = CKK_SHA224_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA256_KEY_GEN:
|
|
+ keySize = adjustKeySize(256, range);
|
|
+ keyType = CKK_SHA256_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA384_KEY_GEN:
|
|
+ keySize = adjustKeySize(384, range);
|
|
+ keyType = CKK_SHA384_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA512_KEY_GEN:
|
|
+ keySize = adjustKeySize(512, range);
|
|
+ keyType = CKK_SHA512_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA512_224_KEY_GEN:
|
|
+ keySize = adjustKeySize(224, range);
|
|
+ keyType = CKK_SHA512_224_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA512_256_KEY_GEN:
|
|
+ keySize = adjustKeySize(256, range);
|
|
+ keyType = CKK_SHA512_256_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA3_224_KEY_GEN:
|
|
+ keySize = adjustKeySize(224, range);
|
|
+ keyType = CKK_SHA3_224_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA3_256_KEY_GEN:
|
|
+ keySize = adjustKeySize(256, range);
|
|
+ keyType = CKK_SHA3_256_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA3_384_KEY_GEN:
|
|
+ keySize = adjustKeySize(384, range);
|
|
+ keyType = CKK_SHA3_384_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_SHA3_512_KEY_GEN:
|
|
+ keySize = adjustKeySize(512, range);
|
|
+ keyType = CKK_SHA3_512_HMAC;
|
|
+ break;
|
|
+ case (int)CKM_GENERIC_SECRET_KEY_GEN:
|
|
+ if (algorithm.startsWith("Hmac")) {
|
|
+ String digest = algorithm.substring(4);
|
|
+ switch (digest) {
|
|
+ case "MD5":
|
|
+ keySize = 512;
|
|
+ break;
|
|
+ case "SHA1":
|
|
+ keySize = 160;
|
|
+ break;
|
|
+ case "SHA224":
|
|
+ case "SHA512/224":
|
|
+ case "SHA3-224":
|
|
+ keySize = 224;
|
|
+ break;
|
|
+ case "SHA256":
|
|
+ case "SHA512/256":
|
|
+ case "SHA3-256":
|
|
+ keySize = 256;
|
|
+ break;
|
|
+ case "SHA384":
|
|
+ case "SHA3-384":
|
|
+ keySize = 384;
|
|
+ break;
|
|
+ case "SHA512":
|
|
+ case "SHA3-512":
|
|
+ keySize = 512;
|
|
+ break;
|
|
+ default:
|
|
+ throw new ProviderException("Unsupported algorithm " +
|
|
+ algorithm);
|
|
+ }
|
|
+ keySize = adjustKeySize(keySize, range);
|
|
+ } else {
|
|
+ throw new ProviderException("Unsupported algorithm " +
|
|
+ algorithm);
|
|
+ }
|
|
+ keyType = CKK_GENERIC_SECRET;
|
|
+ break;
|
|
default:
|
|
throw new ProviderException("Unknown mechanism " + mechanism);
|
|
}
|
|
- try {
|
|
- significantKeySize = checkKeySize(mechanism, keySize, token);
|
|
- } catch (InvalidAlgorithmParameterException iape) {
|
|
- throw new ProviderException("Unsupported default key size", iape);
|
|
+ if (significantKeySize == -1) {
|
|
+ significantKeySize = keySize;
|
|
}
|
|
}
|
|
|
|
// see JCE spec
|
|
protected void engineInit(SecureRandom random) {
|
|
token.ensureValid();
|
|
- setDefaultKeySize();
|
|
+ setDefault();
|
|
}
|
|
|
|
// see JCE spec
|
|
@@ -226,7 +349,7 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
token.ensureValid();
|
|
int newSignificantKeySize;
|
|
try {
|
|
- newSignificantKeySize = checkKeySize(mechanism, keySize, token);
|
|
+ newSignificantKeySize = checkKeySize(mechanism, keySize, range);
|
|
} catch (InvalidAlgorithmParameterException iape) {
|
|
throw (InvalidParameterException)
|
|
(new InvalidParameterException().initCause(iape));
|
|
@@ -258,10 +381,11 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
try {
|
|
session = token.getObjSession();
|
|
CK_ATTRIBUTE[] attributes;
|
|
- switch ((int)keyType) {
|
|
- case (int)CKK_DES:
|
|
- case (int)CKK_DES2:
|
|
- case (int)CKK_DES3:
|
|
+
|
|
+ switch ((int)mechanism) {
|
|
+ case (int)CKM_DES_KEY_GEN:
|
|
+ case (int)CKM_DES2_KEY_GEN:
|
|
+ case (int)CKM_DES3_KEY_GEN:
|
|
// fixed length, do not specify CKA_VALUE_LEN
|
|
attributes = new CK_ATTRIBUTE[] {
|
|
new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
|
@@ -286,5 +410,4 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|
token.releaseSession(session);
|
|
}
|
|
}
|
|
-
|
|
}
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
index c88e4a6ace5..29b26651c39 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
@@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
|
|
/**
|
|
* MAC implementation class. This class currently supports HMAC using
|
|
- * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC
|
|
- * using MD5 and SHA-1.
|
|
+ * MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512),
|
|
+ * SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512), and the
|
|
+ * SSL3 MAC using MD5 and SHA-1.
|
|
*
|
|
* Note that unlike other classes (e.g. Signature), this does not
|
|
* composite various operations if the token only supports part of the
|
|
@@ -92,16 +93,20 @@ final class P11Mac extends MacSpi {
|
|
break;
|
|
case (int)CKM_SHA224_HMAC:
|
|
case (int)CKM_SHA512_224_HMAC:
|
|
+ case (int)CKM_SHA3_224_HMAC:
|
|
macLength = 28;
|
|
break;
|
|
case (int)CKM_SHA256_HMAC:
|
|
case (int)CKM_SHA512_256_HMAC:
|
|
+ case (int)CKM_SHA3_256_HMAC:
|
|
macLength = 32;
|
|
break;
|
|
case (int)CKM_SHA384_HMAC:
|
|
+ case (int)CKM_SHA3_384_HMAC:
|
|
macLength = 48;
|
|
break;
|
|
case (int)CKM_SHA512_HMAC:
|
|
+ case (int)CKM_SHA3_512_HMAC:
|
|
macLength = 64;
|
|
break;
|
|
case (int)CKM_SSL3_MD5_MAC:
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
index 26eaa4735f1..905b6ea9562 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
@@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec;
|
|
import java.security.spec.PSSParameterSpec;
|
|
import java.security.interfaces.*;
|
|
import sun.security.pkcs11.wrapper.*;
|
|
+import sun.security.util.KnownOIDs;
|
|
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
|
|
|
|
@@ -52,6 +53,10 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
|
* . SHA256withRSASSA-PSS
|
|
* . SHA384withRSASSA-PSS
|
|
* . SHA512withRSASSA-PSS
|
|
+ * . SHA3-224withRSASSA-PSS
|
|
+ * . SHA3-256withRSASSA-PSS
|
|
+ * . SHA3-384withRSASSA-PSS
|
|
+ * . SHA3-512withRSASSA-PSS
|
|
*
|
|
* Note that the underlying PKCS#11 token may support complete signature
|
|
* algorithm (e.g. CKM_<md>_RSA_PKCS_PSS), or it may just
|
|
@@ -71,20 +76,28 @@ final class P11PSSSignature extends SignatureSpi {
|
|
|
|
static {
|
|
DIGEST_LENGTHS.put("SHA-1", 20);
|
|
- DIGEST_LENGTHS.put("SHA", 20);
|
|
- DIGEST_LENGTHS.put("SHA1", 20);
|
|
DIGEST_LENGTHS.put("SHA-224", 28);
|
|
- DIGEST_LENGTHS.put("SHA224", 28);
|
|
DIGEST_LENGTHS.put("SHA-256", 32);
|
|
- DIGEST_LENGTHS.put("SHA256", 32);
|
|
DIGEST_LENGTHS.put("SHA-384", 48);
|
|
- DIGEST_LENGTHS.put("SHA384", 48);
|
|
DIGEST_LENGTHS.put("SHA-512", 64);
|
|
- DIGEST_LENGTHS.put("SHA512", 64);
|
|
DIGEST_LENGTHS.put("SHA-512/224", 28);
|
|
- DIGEST_LENGTHS.put("SHA512/224", 28);
|
|
DIGEST_LENGTHS.put("SHA-512/256", 32);
|
|
- DIGEST_LENGTHS.put("SHA512/256", 32);
|
|
+ DIGEST_LENGTHS.put("SHA3-224", 28);
|
|
+ DIGEST_LENGTHS.put("SHA3-256", 32);
|
|
+ DIGEST_LENGTHS.put("SHA3-384", 48);
|
|
+ DIGEST_LENGTHS.put("SHA3-512", 64);
|
|
+ }
|
|
+
|
|
+ // utility method for looking up the std digest algorithms
|
|
+ private static String toStdName(String givenDigestAlg) {
|
|
+ if (givenDigestAlg == null) return null;
|
|
+
|
|
+ KnownOIDs given2 = KnownOIDs.findMatch(givenDigestAlg);
|
|
+ if (given2 == null) {
|
|
+ return givenDigestAlg;
|
|
+ } else {
|
|
+ return given2.stdName();
|
|
+ }
|
|
}
|
|
|
|
// utility method for comparing digest algorithms
|
|
@@ -92,24 +105,8 @@ final class P11PSSSignature extends SignatureSpi {
|
|
private static boolean isDigestEqual(String stdAlg, String givenAlg) {
|
|
if (stdAlg == null || givenAlg == null) return false;
|
|
|
|
- if (givenAlg.indexOf("-") != -1) {
|
|
- return stdAlg.equalsIgnoreCase(givenAlg);
|
|
- } else {
|
|
- if (stdAlg.equals("SHA-1")) {
|
|
- return (givenAlg.equalsIgnoreCase("SHA")
|
|
- || givenAlg.equalsIgnoreCase("SHA1"));
|
|
- } else {
|
|
- StringBuilder sb = new StringBuilder(givenAlg);
|
|
- // case-insensitive check
|
|
- if (givenAlg.regionMatches(true, 0, "SHA", 0, 3)) {
|
|
- givenAlg = sb.insert(3, "-").toString();
|
|
- return stdAlg.equalsIgnoreCase(givenAlg);
|
|
- } else {
|
|
- throw new ProviderException("Unsupported digest algorithm "
|
|
- + givenAlg);
|
|
- }
|
|
- }
|
|
- }
|
|
+ givenAlg = toStdName(givenAlg);
|
|
+ return stdAlg.equalsIgnoreCase(givenAlg);
|
|
}
|
|
|
|
// token instance
|
|
@@ -172,26 +169,57 @@ final class P11PSSSignature extends SignatureSpi {
|
|
this.algorithm = algorithm;
|
|
this.mechanism = new CK_MECHANISM(mechId);
|
|
int idx = algorithm.indexOf("with");
|
|
- this.mdAlg = (idx == -1? null : algorithm.substring(0, idx));
|
|
+ // convert to stdName
|
|
+ this.mdAlg = (idx == -1?
|
|
+ null : toStdName(algorithm.substring(0, idx)));
|
|
+
|
|
switch ((int)mechId) {
|
|
case (int)CKM_SHA1_RSA_PKCS_PSS:
|
|
case (int)CKM_SHA224_RSA_PKCS_PSS:
|
|
case (int)CKM_SHA256_RSA_PKCS_PSS:
|
|
case (int)CKM_SHA384_RSA_PKCS_PSS:
|
|
case (int)CKM_SHA512_RSA_PKCS_PSS:
|
|
+ case (int)CKM_SHA3_224_RSA_PKCS_PSS:
|
|
+ case (int)CKM_SHA3_256_RSA_PKCS_PSS:
|
|
+ case (int)CKM_SHA3_384_RSA_PKCS_PSS:
|
|
+ case (int)CKM_SHA3_512_RSA_PKCS_PSS:
|
|
type = T_UPDATE;
|
|
+ this.md = null;
|
|
break;
|
|
case (int)CKM_RSA_PKCS_PSS:
|
|
+ // check if the digest algo is supported by underlying PKCS11 lib
|
|
+ if (this.mdAlg != null && token.getMechanismInfo
|
|
+ (Functions.getHashMechId(this.mdAlg)) == null) {
|
|
+ throw new NoSuchAlgorithmException("Unsupported algorithm: " +
|
|
+ algorithm);
|
|
+ }
|
|
+ this.md = (this.mdAlg == null? null :
|
|
+ MessageDigest.getInstance(this.mdAlg));
|
|
type = T_DIGEST;
|
|
break;
|
|
default:
|
|
throw new ProviderException("Unsupported mechanism: " + mechId);
|
|
}
|
|
- this.md = null;
|
|
+ }
|
|
+
|
|
+ private static PSSParameterSpec genDefaultParams(String digestAlg,
|
|
+ P11Key key) throws SignatureException {
|
|
+ int mdLen;
|
|
+ try {
|
|
+ mdLen = DIGEST_LENGTHS.get(digestAlg);
|
|
+ } catch (NullPointerException npe) {
|
|
+ throw new SignatureException("Unsupported digest: " +
|
|
+ digestAlg);
|
|
+ }
|
|
+ int saltLen = Integer.min(mdLen, (key.length() >> 3) - mdLen -2);
|
|
+ return new PSSParameterSpec(digestAlg,
|
|
+ "MGF1", new MGF1ParameterSpec(digestAlg),
|
|
+ saltLen, PSSParameterSpec.TRAILER_FIELD_BC);
|
|
}
|
|
|
|
private void ensureInitialized() throws SignatureException {
|
|
token.ensureValid();
|
|
+
|
|
if (this.p11Key == null) {
|
|
throw new SignatureException("Missing key");
|
|
}
|
|
@@ -200,20 +228,19 @@ final class P11PSSSignature extends SignatureSpi {
|
|
// PSS Parameters are required for signature verification
|
|
throw new SignatureException
|
|
("Parameters required for RSASSA-PSS signature");
|
|
- } else {
|
|
- int saltLen = DIGEST_LENGTHS.get(this.mdAlg).intValue();
|
|
- // generate default params for both sign and verify?
|
|
- this.sigParams = new PSSParameterSpec(this.mdAlg,
|
|
- "MGF1", new MGF1ParameterSpec(this.mdAlg),
|
|
- saltLen, PSSParameterSpec.TRAILER_FIELD_BC);
|
|
- this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(
|
|
- this.mdAlg, "MGF1", this.mdAlg,
|
|
- DIGEST_LENGTHS.get(this.mdAlg).intValue()));
|
|
}
|
|
+ // generate default params for both sign and verify?
|
|
+ this.sigParams = genDefaultParams(this.mdAlg, this.p11Key);
|
|
+ this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(
|
|
+ this.mdAlg, "MGF1", this.mdAlg, sigParams.getSaltLength()));
|
|
}
|
|
|
|
if (initialized == false) {
|
|
- initialize();
|
|
+ try {
|
|
+ initialize();
|
|
+ } catch (ProviderException pe) {
|
|
+ throw new SignatureException(pe);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -286,7 +313,7 @@ final class P11PSSSignature extends SignatureSpi {
|
|
}
|
|
|
|
// assumes current state is initialized == false
|
|
- private void initialize() {
|
|
+ private void initialize() throws ProviderException {
|
|
if (DEBUG) System.out.println("Initializing");
|
|
|
|
if (p11Key == null) {
|
|
@@ -363,7 +390,8 @@ final class P11PSSSignature extends SignatureSpi {
|
|
if (this.sigParams != null) {
|
|
String digestAlg = this.sigParams.getDigestAlgorithm();
|
|
int sLen = this.sigParams.getSaltLength();
|
|
- int hLen = DIGEST_LENGTHS.get(digestAlg).intValue();
|
|
+
|
|
+ int hLen = DIGEST_LENGTHS.get(toStdName(digestAlg)).intValue();
|
|
int minKeyLen = Math.addExact(Math.addExact(sLen, hLen), 2);
|
|
|
|
if (keySize < minKeyLen) {
|
|
@@ -387,12 +415,24 @@ final class P11PSSSignature extends SignatureSpi {
|
|
if (params == this.sigParams) return;
|
|
|
|
String digestAlgorithm = params.getDigestAlgorithm();
|
|
- if (this.mdAlg != null && !isDigestEqual(digestAlgorithm, this.mdAlg)) {
|
|
+ if (this.mdAlg != null && !isDigestEqual(this.mdAlg, digestAlgorithm)) {
|
|
throw new InvalidAlgorithmParameterException
|
|
("Digest algorithm in Signature parameters must be " +
|
|
this.mdAlg);
|
|
}
|
|
- Integer digestLen = DIGEST_LENGTHS.get(digestAlgorithm);
|
|
+
|
|
+ try {
|
|
+ if (token.getMechanismInfo(Functions.getHashMechId
|
|
+ (digestAlgorithm)) == null) {
|
|
+ throw new InvalidAlgorithmParameterException
|
|
+ ("Unsupported digest algorithm: " + digestAlgorithm);
|
|
+ }
|
|
+ } catch (PKCS11Exception pe) {
|
|
+ // should not happen
|
|
+ throw new InvalidAlgorithmParameterException(pe);
|
|
+ }
|
|
+
|
|
+ Integer digestLen = DIGEST_LENGTHS.get(toStdName(digestAlgorithm));
|
|
if (digestLen == null) {
|
|
throw new InvalidAlgorithmParameterException
|
|
("Unsupported digest algorithm in Signature parameters: " +
|
|
@@ -465,8 +505,14 @@ final class P11PSSSignature extends SignatureSpi {
|
|
mode = M_VERIFY;
|
|
p11Key = P11KeyFactory.convertKey(token, publicKey, KEY_ALGO);
|
|
|
|
- // For PSS, defer PKCS11 initialization calls to update/doFinal as it
|
|
- // needs both key and params
|
|
+ // attempt initialization when key and params are both available
|
|
+ if (this.p11Key != null && this.sigParams != null) {
|
|
+ try {
|
|
+ initialize();
|
|
+ } catch (ProviderException pe) {
|
|
+ throw new InvalidKeyException(pe);
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
// see JCA spec
|
|
@@ -487,8 +533,14 @@ final class P11PSSSignature extends SignatureSpi {
|
|
mode = M_SIGN;
|
|
p11Key = P11KeyFactory.convertKey(token, privateKey, KEY_ALGO);
|
|
|
|
- // For PSS, defer PKCS11 initialization calls to update/doFinal as it
|
|
- // needs both key and params
|
|
+ // attempt initialization when key and params are both available
|
|
+ if (this.p11Key != null && this.sigParams != null) {
|
|
+ try {
|
|
+ initialize();
|
|
+ } catch (ProviderException pe) {
|
|
+ throw new InvalidKeyException(pe);
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
// see JCA spec
|
|
@@ -698,6 +750,15 @@ final class P11PSSSignature extends SignatureSpi {
|
|
throw new InvalidAlgorithmParameterException(nsae);
|
|
}
|
|
}
|
|
+
|
|
+ // attempt initialization when key and params are both available
|
|
+ if (this.p11Key != null && this.sigParams != null) {
|
|
+ try {
|
|
+ initialize();
|
|
+ } catch (ProviderException pe) {
|
|
+ throw new InvalidAlgorithmParameterException(pe);
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
// see JCA spec
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
index e3af106d05a..e49edf32c29 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
@@ -51,8 +51,15 @@ import sun.security.util.KeyUtil;
|
|
* . DSA
|
|
* . NONEwithDSA (RawDSA)
|
|
* . SHA1withDSA
|
|
- * . NONEwithDSAinP1363Format (RawDSAinP1363Format)
|
|
- * . SHA1withDSAinP1363Format
|
|
+ * . SHA224withDSA
|
|
+ * . SHA256withDSA
|
|
+ * . SHA384withDSA
|
|
+ * . SHA512withDSA
|
|
+ * . SHA3-224withDSA
|
|
+ * . SHA3-256withDSA
|
|
+ * . SHA3-384withDSA
|
|
+ * . SHA3-512withDSA
|
|
+ * . <any of above>inP1363Format
|
|
* . RSA:
|
|
* . MD2withRSA
|
|
* . MD5withRSA
|
|
@@ -61,6 +68,10 @@ import sun.security.util.KeyUtil;
|
|
* . SHA256withRSA
|
|
* . SHA384withRSA
|
|
* . SHA512withRSA
|
|
+ * . SHA3-224withRSA
|
|
+ * . SHA3-256withRSA
|
|
+ * . SHA3-384withRSA
|
|
+ * . SHA3-512withRSA
|
|
* . ECDSA
|
|
* . NONEwithECDSA
|
|
* . SHA1withECDSA
|
|
@@ -68,12 +79,11 @@ import sun.security.util.KeyUtil;
|
|
* . SHA256withECDSA
|
|
* . SHA384withECDSA
|
|
* . SHA512withECDSA
|
|
- * . NONEwithECDSAinP1363Format
|
|
- * . SHA1withECDSAinP1363Format
|
|
- * . SHA224withECDSAinP1363Format
|
|
- * . SHA256withECDSAinP1363Format
|
|
- * . SHA384withECDSAinP1363Format
|
|
- * . SHA512withECDSAinP1363Format
|
|
+ * . SHA3_224withECDSA
|
|
+ * . SHA3_256withECDSA
|
|
+ * . SHA3_384withECDSA
|
|
+ * . SHA3_512withECDSA
|
|
+ * . <any of above>inP1363Format
|
|
*
|
|
* Note that the underlying PKCS#11 token may support complete signature
|
|
* algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just
|
|
@@ -144,10 +154,11 @@ final class P11Signature extends SignatureSpi {
|
|
// constant for type raw, used with RawDSA and NONEwithECDSA only
|
|
private final static int T_RAW = 3;
|
|
|
|
- // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits",
|
|
- // but this is a little arbitrary
|
|
+ // PKCS#11 spec for CKM_ECDSA states that the length should not be longer
|
|
+ // than 1024 bits", but this is a little arbitrary
|
|
private final static int RAW_ECDSA_MAX = 128;
|
|
|
|
+
|
|
P11Signature(Token token, String algorithm, long mechanism)
|
|
throws NoSuchAlgorithmException, PKCS11Exception {
|
|
super();
|
|
@@ -165,16 +176,36 @@ final class P11Signature extends SignatureSpi {
|
|
case (int)CKM_SHA256_RSA_PKCS:
|
|
case (int)CKM_SHA384_RSA_PKCS:
|
|
case (int)CKM_SHA512_RSA_PKCS:
|
|
+ case (int)CKM_SHA3_224_RSA_PKCS:
|
|
+ case (int)CKM_SHA3_256_RSA_PKCS:
|
|
+ case (int)CKM_SHA3_384_RSA_PKCS:
|
|
+ case (int)CKM_SHA3_512_RSA_PKCS:
|
|
keyAlgorithm = "RSA";
|
|
type = T_UPDATE;
|
|
buffer = new byte[1];
|
|
break;
|
|
case (int)CKM_DSA_SHA1:
|
|
+ case (int)CKM_DSA_SHA224:
|
|
+ case (int)CKM_DSA_SHA256:
|
|
+ case (int)CKM_DSA_SHA384:
|
|
+ case (int)CKM_DSA_SHA512:
|
|
+ case (int)CKM_DSA_SHA3_224:
|
|
+ case (int)CKM_DSA_SHA3_256:
|
|
+ case (int)CKM_DSA_SHA3_384:
|
|
+ case (int)CKM_DSA_SHA3_512:
|
|
keyAlgorithm = "DSA";
|
|
type = T_UPDATE;
|
|
buffer = new byte[1];
|
|
break;
|
|
case (int)CKM_ECDSA_SHA1:
|
|
+ case (int)CKM_ECDSA_SHA224:
|
|
+ case (int)CKM_ECDSA_SHA256:
|
|
+ case (int)CKM_ECDSA_SHA384:
|
|
+ case (int)CKM_ECDSA_SHA512:
|
|
+ case (int)CKM_ECDSA_SHA3_224:
|
|
+ case (int)CKM_ECDSA_SHA3_256:
|
|
+ case (int)CKM_ECDSA_SHA3_384:
|
|
+ case (int)CKM_ECDSA_SHA3_512:
|
|
keyAlgorithm = "EC";
|
|
type = T_UPDATE;
|
|
buffer = new byte[1];
|
|
@@ -200,57 +231,18 @@ final class P11Signature extends SignatureSpi {
|
|
type = T_RAW;
|
|
buffer = new byte[RAW_ECDSA_MAX];
|
|
} else {
|
|
- String digestAlg;
|
|
- if (algorithm.equals("SHA1withECDSA") ||
|
|
- algorithm.equals("SHA1withECDSAinP1363Format")) {
|
|
- digestAlg = "SHA-1";
|
|
- } else if (algorithm.equals("SHA224withECDSA") ||
|
|
- algorithm.equals("SHA224withECDSAinP1363Format")) {
|
|
- digestAlg = "SHA-224";
|
|
- } else if (algorithm.equals("SHA256withECDSA") ||
|
|
- algorithm.equals("SHA256withECDSAinP1363Format")) {
|
|
- digestAlg = "SHA-256";
|
|
- } else if (algorithm.equals("SHA384withECDSA") ||
|
|
- algorithm.equals("SHA384withECDSAinP1363Format")) {
|
|
- digestAlg = "SHA-384";
|
|
- } else if (algorithm.equals("SHA512withECDSA") ||
|
|
- algorithm.equals("SHA512withECDSAinP1363Format")) {
|
|
- digestAlg = "SHA-512";
|
|
- } else {
|
|
- throw new ProviderException(algorithm);
|
|
- }
|
|
type = T_DIGEST;
|
|
- md = MessageDigest.getInstance(digestAlg);
|
|
+ md = MessageDigest.getInstance
|
|
+ (getDigestEnum(algorithm).stdName());
|
|
}
|
|
break;
|
|
case (int)CKM_RSA_PKCS:
|
|
case (int)CKM_RSA_X_509:
|
|
keyAlgorithm = "RSA";
|
|
type = T_DIGEST;
|
|
- if (algorithm.equals("MD5withRSA")) {
|
|
- md = MessageDigest.getInstance("MD5");
|
|
- digestOID = AlgorithmId.MD5_oid;
|
|
- } else if (algorithm.equals("SHA1withRSA")) {
|
|
- md = MessageDigest.getInstance("SHA-1");
|
|
- digestOID = AlgorithmId.SHA_oid;
|
|
- } else if (algorithm.equals("MD2withRSA")) {
|
|
- md = MessageDigest.getInstance("MD2");
|
|
- digestOID = AlgorithmId.MD2_oid;
|
|
- } else if (algorithm.equals("SHA224withRSA")) {
|
|
- md = MessageDigest.getInstance("SHA-224");
|
|
- digestOID = AlgorithmId.SHA224_oid;
|
|
- } else if (algorithm.equals("SHA256withRSA")) {
|
|
- md = MessageDigest.getInstance("SHA-256");
|
|
- digestOID = AlgorithmId.SHA256_oid;
|
|
- } else if (algorithm.equals("SHA384withRSA")) {
|
|
- md = MessageDigest.getInstance("SHA-384");
|
|
- digestOID = AlgorithmId.SHA384_oid;
|
|
- } else if (algorithm.equals("SHA512withRSA")) {
|
|
- md = MessageDigest.getInstance("SHA-512");
|
|
- digestOID = AlgorithmId.SHA512_oid;
|
|
- } else {
|
|
- throw new ProviderException("Unknown signature: " + algorithm);
|
|
- }
|
|
+ KnownOIDs digestAlg = getDigestEnum(algorithm);
|
|
+ md = MessageDigest.getInstance(digestAlg.stdName());
|
|
+ digestOID = ObjectIdentifier.of(digestAlg);
|
|
break;
|
|
default:
|
|
throw new ProviderException("Unknown mechanism: " + mechanism);
|
|
@@ -304,8 +296,8 @@ final class P11Signature extends SignatureSpi {
|
|
}
|
|
} else { // M_VERIFY
|
|
byte[] signature;
|
|
- if (keyAlgorithm.equals("DSA")) {
|
|
- signature = new byte[40];
|
|
+ if (mechanism == CKM_DSA) {
|
|
+ signature = new byte[64]; // assume N = 256
|
|
} else {
|
|
signature = new byte[(p11Key.length() + 7) >> 3];
|
|
}
|
|
@@ -449,13 +441,17 @@ final class P11Signature extends SignatureSpi {
|
|
encodedLength = 34;
|
|
} else if (algorithm.equals("SHA1withRSA")) {
|
|
encodedLength = 35;
|
|
- } else if (algorithm.equals("SHA224withRSA")) {
|
|
+ } else if (algorithm.equals("SHA224withRSA") ||
|
|
+ algorithm.equals("SHA3-224withRSA")) {
|
|
encodedLength = 47;
|
|
- } else if (algorithm.equals("SHA256withRSA")) {
|
|
+ } else if (algorithm.equals("SHA256withRSA") ||
|
|
+ algorithm.equals("SHA3-256withRSA")) {
|
|
encodedLength = 51;
|
|
- } else if (algorithm.equals("SHA384withRSA")) {
|
|
+ } else if (algorithm.equals("SHA384withRSA") ||
|
|
+ algorithm.equals("SHA3-384withRSA")) {
|
|
encodedLength = 67;
|
|
- } else if (algorithm.equals("SHA512withRSA")) {
|
|
+ } else if (algorithm.equals("SHA512withRSA") ||
|
|
+ algorithm.equals("SHA3-512withRSA")) {
|
|
encodedLength = 83;
|
|
} else {
|
|
throw new ProviderException("Unknown signature algo: " + algorithm);
|
|
@@ -631,8 +627,7 @@ final class P11Signature extends SignatureSpi {
|
|
try {
|
|
byte[] signature;
|
|
if (type == T_UPDATE) {
|
|
- int len = keyAlgorithm.equals("DSA") ? 40 : 0;
|
|
- signature = token.p11.C_SignFinal(session.id(), len);
|
|
+ signature = token.p11.C_SignFinal(session.id(), 0);
|
|
} else {
|
|
byte[] digest;
|
|
if (type == T_DIGEST) {
|
|
@@ -781,6 +776,23 @@ final class P11Signature extends SignatureSpi {
|
|
}
|
|
}
|
|
|
|
+ private static KnownOIDs getDigestEnum(String algorithm)
|
|
+ throws NoSuchAlgorithmException {
|
|
+ try {
|
|
+ String digAlg = SignatureUtil.extractDigestAlgFromDwithE(algorithm);
|
|
+ KnownOIDs k = KnownOIDs.findMatch(digAlg);
|
|
+ if (k == null) {
|
|
+ throw new NoSuchAlgorithmException
|
|
+ ("Unsupported digest algorithm: " + digAlg);
|
|
+ }
|
|
+ return k;
|
|
+ } catch (IllegalArgumentException iae) {
|
|
+ // should never happen
|
|
+ throw new NoSuchAlgorithmException("Unknown signature: " +
|
|
+ algorithm, iae);
|
|
+ }
|
|
+ }
|
|
+
|
|
// private static byte[] decodeSignature(byte[] signature) throws IOException {
|
|
// return RSASignature.decodeSignature(digestOID, signature);
|
|
// }
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
index cf7cd19b689..7a8bcffb92c 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider {
|
|
d(MD, "SHA-512/256", P11Digest,
|
|
s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"),
|
|
m(CKM_SHA512_256));
|
|
+ d(MD, "SHA3-224", P11Digest,
|
|
+ s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"),
|
|
+ m(CKM_SHA3_224));
|
|
+ d(MD, "SHA3-256", P11Digest,
|
|
+ s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"),
|
|
+ m(CKM_SHA3_256));
|
|
+ d(MD, "SHA3-384", P11Digest,
|
|
+ s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"),
|
|
+ m(CKM_SHA3_384));
|
|
+ d(MD, "SHA3-512", P11Digest,
|
|
+ s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"),
|
|
+ m(CKM_SHA3_512));
|
|
|
|
d(MAC, "HmacMD5", P11MAC,
|
|
m(CKM_MD5_HMAC));
|
|
@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider {
|
|
d(MAC, "HmacSHA512/256", P11MAC,
|
|
s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
|
|
m(CKM_SHA512_256_HMAC));
|
|
-
|
|
+ d(MAC, "HmacSHA3-224", P11MAC,
|
|
+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
|
|
+ m(CKM_SHA3_224_HMAC));
|
|
+ d(MAC, "HmacSHA3-256", P11MAC,
|
|
+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
|
|
+ m(CKM_SHA3_256_HMAC));
|
|
+ d(MAC, "HmacSHA3-384", P11MAC,
|
|
+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
|
|
+ m(CKM_SHA3_384_HMAC));
|
|
+ d(MAC, "HmacSHA3-512", P11MAC,
|
|
+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
|
|
+ m(CKM_SHA3_512_HMAC));
|
|
d(MAC, "SslMacMD5", P11MAC,
|
|
m(CKM_SSL3_MD5_MAC));
|
|
d(MAC, "SslMacSHA1", P11MAC,
|
|
@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider {
|
|
m(CKM_BLOWFISH_KEY_GEN));
|
|
d(KG, "ChaCha20", P11KeyGenerator,
|
|
m(CKM_CHACHA20_KEY_GEN));
|
|
+ d(KG, "HmacMD5", P11KeyGenerator, // 1.3.6.1.5.5.8.1.1
|
|
+ m(CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA1", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"),
|
|
+ m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA224", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"),
|
|
+ m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA256", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"),
|
|
+ m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA384", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"),
|
|
+ m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA512", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
|
|
+ m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA512/224", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"),
|
|
+ m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA512/256", P11KeyGenerator,
|
|
+ s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
|
|
+ m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA3-224", P11KeyGenerator,
|
|
+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"),
|
|
+ m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA3-256", P11KeyGenerator,
|
|
+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"),
|
|
+ m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA3-384", P11KeyGenerator,
|
|
+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"),
|
|
+ m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
+ d(KG, "HmacSHA3-512", P11KeyGenerator,
|
|
+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"),
|
|
+ m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
|
|
|
|
// register (Secret)KeyFactories if there are any mechanisms
|
|
// for a particular algorithm that we support
|
|
@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider {
|
|
d(SIG, "SHA512withDSA", P11Signature,
|
|
s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"),
|
|
m(CKM_DSA_SHA512));
|
|
+ d(SIG, "SHA3-224withDSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"),
|
|
+ m(CKM_DSA_SHA3_224));
|
|
+ d(SIG, "SHA3-256withDSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"),
|
|
+ m(CKM_DSA_SHA3_256));
|
|
+ d(SIG, "SHA3-384withDSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"),
|
|
+ m(CKM_DSA_SHA3_384));
|
|
+ d(SIG, "SHA3-512withDSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"),
|
|
+ m(CKM_DSA_SHA3_512));
|
|
d(SIG, "RawDSAinP1363Format", P11Signature,
|
|
s("NONEwithDSAinP1363Format"),
|
|
m(CKM_DSA));
|
|
d(SIG, "DSAinP1363Format", P11Signature,
|
|
s("SHA1withDSAinP1363Format"),
|
|
m(CKM_DSA_SHA1, CKM_DSA));
|
|
-
|
|
+ d(SIG, "SHA224withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA224));
|
|
+ d(SIG, "SHA256withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA256));
|
|
+ d(SIG, "SHA384withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA384));
|
|
+ d(SIG, "SHA512withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA512));
|
|
+ d(SIG, "SHA3-224withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA3_224));
|
|
+ d(SIG, "SHA3-256withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA3_256));
|
|
+ d(SIG, "SHA3-384withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA3_384));
|
|
+ d(SIG, "SHA3-512withDSAinP1363Format", P11Signature,
|
|
+ m(CKM_DSA_SHA3_512));
|
|
d(SIG, "NONEwithECDSA", P11Signature,
|
|
m(CKM_ECDSA));
|
|
d(SIG, "SHA1withECDSA", P11Signature,
|
|
@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider {
|
|
m(CKM_ECDSA_SHA1, CKM_ECDSA));
|
|
d(SIG, "SHA224withECDSA", P11Signature,
|
|
s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"),
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA224, CKM_ECDSA));
|
|
d(SIG, "SHA256withECDSA", P11Signature,
|
|
s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"),
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA256, CKM_ECDSA));
|
|
d(SIG, "SHA384withECDSA", P11Signature,
|
|
s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"),
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA384, CKM_ECDSA));
|
|
d(SIG, "SHA512withECDSA", P11Signature,
|
|
s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"),
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA512, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-224withECDSA", P11Signature,
|
|
+ s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"),
|
|
+ m(CKM_ECDSA_SHA3_224, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-256withECDSA", P11Signature,
|
|
+ s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"),
|
|
+ m(CKM_ECDSA_SHA3_256, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-384withECDSA", P11Signature,
|
|
+ s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"),
|
|
+ m(CKM_ECDSA_SHA3_384, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-512withECDSA", P11Signature,
|
|
+ s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"),
|
|
+ m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
|
|
d(SIG, "NONEwithECDSAinP1363Format", P11Signature,
|
|
m(CKM_ECDSA));
|
|
d(SIG, "SHA1withECDSAinP1363Format", P11Signature,
|
|
m(CKM_ECDSA_SHA1, CKM_ECDSA));
|
|
d(SIG, "SHA224withECDSAinP1363Format", P11Signature,
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA224, CKM_ECDSA));
|
|
d(SIG, "SHA256withECDSAinP1363Format", P11Signature,
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA256, CKM_ECDSA));
|
|
d(SIG, "SHA384withECDSAinP1363Format", P11Signature,
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA384, CKM_ECDSA));
|
|
d(SIG, "SHA512withECDSAinP1363Format", P11Signature,
|
|
- m(CKM_ECDSA));
|
|
+ m(CKM_ECDSA_SHA512, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-224withECDSAinP1363Format", P11Signature,
|
|
+ m(CKM_ECDSA_SHA3_224, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-256withECDSAinP1363Format", P11Signature,
|
|
+ m(CKM_ECDSA_SHA3_256, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-384withECDSAinP1363Format", P11Signature,
|
|
+ m(CKM_ECDSA_SHA3_384, CKM_ECDSA));
|
|
+ d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature,
|
|
+ m(CKM_ECDSA_SHA3_512, CKM_ECDSA));
|
|
+
|
|
d(SIG, "MD2withRSA", P11Signature,
|
|
s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"),
|
|
m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider {
|
|
d(SIG, "SHA512withRSA", P11Signature,
|
|
s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
|
|
m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
+ d(SIG, "SHA3-224withRSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"),
|
|
+ m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
+ d(SIG, "SHA3-256withRSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"),
|
|
+ m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
+ d(SIG, "SHA3-384withRSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"),
|
|
+ m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
+ d(SIG, "SHA3-512withRSA", P11Signature,
|
|
+ s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"),
|
|
+ m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
d(SIG, "RSASSA-PSS", P11PSSSignature,
|
|
s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"),
|
|
m(CKM_RSA_PKCS_PSS));
|
|
@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider {
|
|
m(CKM_SHA384_RSA_PKCS_PSS));
|
|
d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature,
|
|
m(CKM_SHA512_RSA_PKCS_PSS));
|
|
+ d(SIG, "SHA3-224withRSASSA-PSS", P11PSSSignature,
|
|
+ m(CKM_SHA3_224_RSA_PKCS_PSS));
|
|
+ d(SIG, "SHA3-256withRSASSA-PSS", P11PSSSignature,
|
|
+ m(CKM_SHA3_256_RSA_PKCS_PSS));
|
|
+ d(SIG, "SHA3-384withRSASSA-PSS", P11PSSSignature,
|
|
+ m(CKM_SHA3_384_RSA_PKCS_PSS));
|
|
+ d(SIG, "SHA3-512withRSASSA-PSS", P11PSSSignature,
|
|
+ m(CKM_SHA3_512_RSA_PKCS_PSS));
|
|
|
|
d(KG, "SunTlsRsaPremasterSecret",
|
|
"sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
|
|
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
|
|
index e077943bbc2..cb04b95304d 100644
|
|
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
|
|
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -57,7 +57,12 @@ public class CK_RSA_PKCS_PSS_PARAMS {
|
|
throw new ProviderException("Only MGF1 is supported");
|
|
}
|
|
// no dash in PKCS#11 mechanism names
|
|
- this.mgf = Functions.getMGFId("CKG_MGF1_" + mgfHash.replaceFirst("-", ""));
|
|
+ if (mgfHash.startsWith("SHA3-")) {
|
|
+ mgfHash = mgfHash.replaceFirst("-", "_");
|
|
+ } else {
|
|
+ mgfHash = mgfHash.replaceFirst("-", "");
|
|
+ }
|
|
+ this.mgf = Functions.getMGFId("CKG_MGF1_" + mgfHash);
|
|
this.sLen = sLen;
|
|
}
|
|
|
|
diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
|
|
new file mode 100644
|
|
index 00000000000..d6707028d96
|
|
--- /dev/null
|
|
+++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java
|
|
@@ -0,0 +1,84 @@
|
|
+/*
|
|
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
|
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
+ *
|
|
+ * This code is free software; you can redistribute it and/or modify it
|
|
+ * under the terms of the GNU General Public License version 2 only, as
|
|
+ * published by the Free Software Foundation.
|
|
+ *
|
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
|
+ * accompanied this code).
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License version
|
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
+ *
|
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
+ * or visit www.oracle.com if you need additional information or have any
|
|
+ * questions.
|
|
+ */
|
|
+
|
|
+/*
|
|
+ * @test
|
|
+ * @bug 8242332
|
|
+ * @summary Check that PKCS11 Hamc KeyGenerator picks appropriate default size
|
|
+ * @library /test/lib ..
|
|
+ * @modules jdk.crypto.cryptoki
|
|
+ * @run main/othervm HmacDefKeySizeTest
|
|
+ * @run main/othervm HmacDefKeySizeTest sm
|
|
+ */
|
|
+
|
|
+import java.security.InvalidKeyException;
|
|
+import java.security.NoSuchAlgorithmException;
|
|
+import java.security.NoSuchProviderException;
|
|
+import java.security.Provider;
|
|
+import java.util.List;
|
|
+import javax.crypto.KeyGenerator;
|
|
+import javax.crypto.SecretKey;
|
|
+
|
|
+public class HmacDefKeySizeTest extends PKCS11Test {
|
|
+
|
|
+ /**
|
|
+ * Request a KeyGenerator object from PKCS11 provider for Hmac algorithm,
|
|
+ * and generate the SecretKey.
|
|
+ *
|
|
+ * @param args the command line arguments
|
|
+ */
|
|
+ public static void main(String[] args) throws Exception {
|
|
+ main(new HmacDefKeySizeTest(), args);
|
|
+ }
|
|
+
|
|
+ @Override
|
|
+ public void main(Provider p) {
|
|
+ List<String> algorithms = getSupportedAlgorithms("KeyGenerator",
|
|
+ "Hmac", p);
|
|
+ boolean success = true;
|
|
+
|
|
+ for (String alg : algorithms) {
|
|
+ System.out.println("Testing " + alg);
|
|
+ try {
|
|
+ KeyGenerator kg = KeyGenerator.getInstance(alg, p);
|
|
+ SecretKey k1 = kg.generateKey();
|
|
+ int keysize = k1.getEncoded().length << 3;
|
|
+ System.out.println("=> default key size = " + keysize);
|
|
+ kg.init(keysize);
|
|
+ SecretKey k2 = kg.generateKey();
|
|
+ if ((k2.getEncoded().length << 3) != keysize) {
|
|
+ success = false;
|
|
+ System.out.println("keysize check failed");
|
|
+ }
|
|
+ } catch (Exception e) {
|
|
+ System.out.println("Unexpected exception: " + e);
|
|
+ e.printStackTrace();
|
|
+ success = false;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!success) {
|
|
+ throw new RuntimeException("One or more tests failed");
|
|
+ }
|
|
+ }
|
|
+}
|
|
diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
|
|
index b61d10beece..78b7d857e8e 100644
|
|
--- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
|
|
+++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 4917233 6461727 6490213 6720456
|
|
+ * @bug 4917233 6461727 6490213 6720456 8242332
|
|
* @summary test the KeyGenerator
|
|
* @author Andreas Sterbenz
|
|
* @library /test/lib ..
|
|
@@ -128,6 +128,18 @@ public class TestKeyGenerator extends PKCS11Test {
|
|
test("ARCFOUR", 40, p, TestResult.PASS);
|
|
test("ARCFOUR", 128, p, TestResult.PASS);
|
|
|
|
+ String[] HMAC_ALGS = {
|
|
+ "HmacSHA1", "HmacSHA224", "HmacSHA256", "HmacSHA384", "HmacSHA512",
|
|
+ "HmacSHA512/224", "HmacSHA512/256", "HmacSHA3-224", "HmacSHA3-256",
|
|
+ "HmacSHA3-384", "HmacSHA3-512",
|
|
+ };
|
|
+
|
|
+ for (String hmacAlg : HMAC_ALGS) {
|
|
+ test(hmacAlg, 0, p, TestResult.FAIL);
|
|
+ test(hmacAlg, 128, p, TestResult.PASS);
|
|
+ test(hmacAlg, 224, p, TestResult.PASS);
|
|
+ }
|
|
+
|
|
if (p.getName().equals("SunPKCS11-Solaris")) {
|
|
test("ARCFOUR", 1024, p, TestResult.TBD);
|
|
} else if (p.getName().equals("SunPKCS11-NSS")) {
|
|
diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
|
|
index 59af327c1f2..64c42a6dd06 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 8048603
|
|
+ * @bug 8048603 8242332
|
|
* @summary Check if doFinal and update operation result in same Mac
|
|
* @author Yu-Ching Valerie Peng, Bill Situ, Alexander Fomin
|
|
* @library /test/lib ..
|
|
@@ -40,13 +40,15 @@ import java.security.Provider;
|
|
import java.security.SecureRandom;
|
|
import java.util.List;
|
|
import javax.crypto.Mac;
|
|
+import javax.crypto.KeyGenerator;
|
|
+import javax.crypto.SecretKey;
|
|
import javax.crypto.spec.SecretKeySpec;
|
|
|
|
public class MacSameTest extends PKCS11Test {
|
|
|
|
private static final int MESSAGE_SIZE = 25;
|
|
private static final int OFFSET = 5;
|
|
- private static final int KEY_SIZE = 70;
|
|
+ private static final int KEY_SIZE = 128;
|
|
|
|
/**
|
|
* Initialize a message, instantiate a Mac object,
|
|
@@ -67,9 +69,30 @@ public class MacSameTest extends PKCS11Test {
|
|
public void main(Provider p) {
|
|
List<String> algorithms = getSupportedAlgorithms("Mac", "Hmac", p);
|
|
boolean success = true;
|
|
+ SecureRandom srdm = new SecureRandom();
|
|
+
|
|
for (String alg : algorithms) {
|
|
+ // first try w/ java secret key object
|
|
+ byte[] keyVal = new byte[KEY_SIZE];
|
|
+ srdm.nextBytes(keyVal);
|
|
+ SecretKey skey = new SecretKeySpec(keyVal, alg);
|
|
+
|
|
+ try {
|
|
+ doTest(alg, skey, p);
|
|
+ } catch (Exception e) {
|
|
+ System.out.println("Unexpected exception: " + e);
|
|
+ e.printStackTrace();
|
|
+ success = false;
|
|
+ }
|
|
+
|
|
try {
|
|
- doTest(alg, p);
|
|
+ KeyGenerator kg = KeyGenerator.getInstance(alg, p);
|
|
+ kg.init(KEY_SIZE);
|
|
+ skey = kg.generateKey();
|
|
+ doTest(alg, skey, p);
|
|
+ } catch (NoSuchAlgorithmException nsae) {
|
|
+ System.out.println("Skip test using native key for " + alg);
|
|
+ continue;
|
|
} catch (Exception e) {
|
|
System.out.println("Unexpected exception: " + e);
|
|
e.printStackTrace();
|
|
@@ -82,7 +105,7 @@ public class MacSameTest extends PKCS11Test {
|
|
}
|
|
}
|
|
|
|
- private void doTest(String algo, Provider provider)
|
|
+ private void doTest(String algo, SecretKey key, Provider provider)
|
|
throws NoSuchAlgorithmException, NoSuchProviderException,
|
|
InvalidKeyException {
|
|
System.out.println("Test " + algo);
|
|
@@ -108,12 +131,7 @@ public class MacSameTest extends PKCS11Test {
|
|
byte[] tail = new byte[plain.length - OFFSET];
|
|
System.arraycopy(plain, OFFSET, tail, 0, tail.length);
|
|
|
|
- SecureRandom srdm = new SecureRandom();
|
|
- byte[] keyVal = new byte[KEY_SIZE];
|
|
- srdm.nextBytes(keyVal);
|
|
- SecretKeySpec keySpec = new SecretKeySpec(keyVal, "HMAC");
|
|
-
|
|
- mac.init(keySpec);
|
|
+ mac.init(key);
|
|
byte[] result1 = mac.doFinal(plain);
|
|
|
|
mac.reset();
|
|
diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
|
|
index 5cad8859840..7e045232e3a 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 4856966
|
|
+ * @bug 4856966 8242332
|
|
* @summary
|
|
* @author Andreas Sterbenz
|
|
* @library /test/lib ..
|
|
@@ -35,6 +35,7 @@
|
|
|
|
import java.security.Provider;
|
|
import java.util.Random;
|
|
+import java.util.List;
|
|
import javax.crypto.Mac;
|
|
import javax.crypto.spec.SecretKeySpec;
|
|
|
|
@@ -46,32 +47,49 @@ public class ReinitMac extends PKCS11Test {
|
|
|
|
@Override
|
|
public void main(Provider p) throws Exception {
|
|
- if (p.getService("Mac", "HmacMD5") == null) {
|
|
- System.out.println(p + " does not support HmacMD5, skipping");
|
|
- return;
|
|
- }
|
|
+ List<String> algorithms = getSupportedAlgorithms("Mac", "Hmac", p);
|
|
Random random = new Random();
|
|
- byte[] data1 = new byte[10 * 1024];
|
|
- random.nextBytes(data1);
|
|
- byte[] keyData = new byte[16];
|
|
- random.nextBytes(keyData);
|
|
- SecretKeySpec key = new SecretKeySpec(keyData, "Hmac");
|
|
- Mac mac = Mac.getInstance("HmacMD5", p);
|
|
+ byte[] data = new byte[10 * 1024];
|
|
+ random.nextBytes(data);
|
|
+ byte[] keyVal = new byte[16];
|
|
+ random.nextBytes(keyVal);
|
|
+
|
|
+ boolean success = true;
|
|
+ for (String alg : algorithms) {
|
|
+ try {
|
|
+ doTest(alg, p, keyVal, data);
|
|
+ } catch (Exception e) {
|
|
+ System.out.println("Unexpected exception: " + e);
|
|
+ e.printStackTrace();
|
|
+ success = false;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!success) {
|
|
+ throw new RuntimeException("Test failed");
|
|
+ } else {
|
|
+ System.out.println("All tests passed");
|
|
+ }
|
|
+ }
|
|
+
|
|
+ private void doTest(String alg, Provider p, byte[] keyVal, byte[] data)
|
|
+ throws Exception {
|
|
+ System.out.println("Testing " + alg);
|
|
+ SecretKeySpec key = new SecretKeySpec(keyVal, alg);
|
|
+ Mac mac = Mac.getInstance(alg, p);
|
|
mac.init(key);
|
|
mac.init(key);
|
|
- mac.update(data1);
|
|
+ mac.update(data);
|
|
mac.init(key);
|
|
mac.doFinal();
|
|
mac.doFinal();
|
|
- mac.update(data1);
|
|
+ mac.update(data);
|
|
mac.doFinal();
|
|
mac.reset();
|
|
mac.reset();
|
|
mac.init(key);
|
|
mac.reset();
|
|
- mac.update(data1);
|
|
+ mac.update(data);
|
|
mac.reset();
|
|
-
|
|
- System.out.println("All tests passed");
|
|
}
|
|
}
|
|
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
|
|
index 7ced00630cc..a7a72e8ea3d 100644
|
|
--- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
|
|
+++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 4856966 8080462
|
|
+ * @bug 4856966 8080462 8242332
|
|
* @summary Test the MessageDigest.update(ByteBuffer) method
|
|
* @author Andreas Sterbenz
|
|
* @library /test/lib ..
|
|
@@ -36,13 +36,10 @@ import java.nio.ByteBuffer;
|
|
import java.security.*;
|
|
import java.util.Arrays;
|
|
import java.util.Random;
|
|
+import java.util.List;
|
|
|
|
public class ByteBuffers extends PKCS11Test {
|
|
|
|
- static final String[] ALGS = {
|
|
- "SHA-224", "SHA-256", "SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256"
|
|
- };
|
|
-
|
|
private static Random random = new Random();
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
@@ -51,6 +48,9 @@ public class ByteBuffers extends PKCS11Test {
|
|
|
|
@Override
|
|
public void main(Provider p) throws Exception {
|
|
+ List<String> ALGS = getSupportedAlgorithms("MessageDigest",
|
|
+ "SHA", p);
|
|
+
|
|
int n = 10 * 1024;
|
|
byte[] t = new byte[n];
|
|
random.nextBytes(t);
|
|
@@ -62,13 +62,7 @@ public class ByteBuffers extends PKCS11Test {
|
|
|
|
private void runTest(Provider p, String alg, byte[] data) throws Exception {
|
|
System.out.println("Test against " + p.getName() + " and " + alg);
|
|
- MessageDigest md;
|
|
- try {
|
|
- md = MessageDigest.getInstance(alg, p);
|
|
- } catch (NoSuchAlgorithmException e) {
|
|
- System.out.println("Skip " + alg + " due to no support");
|
|
- return;
|
|
- }
|
|
+ MessageDigest md = MessageDigest.getInstance(alg, p);
|
|
|
|
byte[] d1 = md.digest(data);
|
|
|
|
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
|
|
index ea7909bc397..268f698276b 100644
|
|
--- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
|
|
+++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 4856966
|
|
+ * @bug 4856966 8242332
|
|
* @summary
|
|
* @author Andreas Sterbenz
|
|
* @library /test/lib ..
|
|
@@ -37,6 +37,7 @@ import java.security.MessageDigest;
|
|
import java.security.Provider;
|
|
import java.util.Arrays;
|
|
import java.util.Random;
|
|
+import java.util.List;
|
|
|
|
public class ReinitDigest extends PKCS11Test {
|
|
|
|
@@ -46,19 +47,37 @@ public class ReinitDigest extends PKCS11Test {
|
|
|
|
@Override
|
|
public void main(Provider p) throws Exception {
|
|
- if (p.getService("MessageDigest", "MD5") == null) {
|
|
- System.out.println("Provider does not support MD5, skipping");
|
|
- return;
|
|
- }
|
|
+ List<String> ALGS = getSupportedAlgorithms("MessageDigest",
|
|
+ "SHA", p);
|
|
Random r = new Random();
|
|
byte[] data1 = new byte[10 * 1024];
|
|
byte[] data2 = new byte[10 * 1024];
|
|
r.nextBytes(data1);
|
|
r.nextBytes(data2);
|
|
- MessageDigest md;
|
|
- md = MessageDigest.getInstance("MD5", "SUN");
|
|
+
|
|
+ boolean success = true;
|
|
+ for (String alg : ALGS) {
|
|
+ try {
|
|
+ doTest(alg, p, data1, data2);
|
|
+ } catch (Exception e) {
|
|
+ System.out.println("Unexpected exception: " + e);
|
|
+ e.printStackTrace();
|
|
+ success = false;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!success) {
|
|
+ throw new RuntimeException("Test failed");
|
|
+ }
|
|
+ System.out.println("All tests passed");
|
|
+ }
|
|
+
|
|
+ private void doTest(String alg, Provider p, byte[] data1, byte[] data2)
|
|
+ throws Exception {
|
|
+ System.out.println("Testing " + alg);
|
|
+ MessageDigest md = MessageDigest.getInstance(alg, "SUN");
|
|
byte[] d1 = md.digest(data1);
|
|
- md = MessageDigest.getInstance("MD5", p);
|
|
+ md = MessageDigest.getInstance(alg, p);
|
|
byte[] d2 = md.digest(data1);
|
|
check(d1, d2);
|
|
byte[] d3 = md.digest(data1);
|
|
@@ -68,7 +87,6 @@ public class ReinitDigest extends PKCS11Test {
|
|
md.reset();
|
|
byte[] d4 = md.digest(data1);
|
|
check(d1, d4);
|
|
- System.out.println("All tests passed");
|
|
}
|
|
|
|
private static void check(byte[] d1, byte[] d2) throws Exception {
|
|
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
|
|
index b931c8564b2..ace601c7233 100644
|
|
--- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
|
|
+++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 6414899
|
|
+ * @bug 6414899 8242332
|
|
* @summary Ensure the cloning functionality works.
|
|
* @author Valerie Peng
|
|
* @library /test/lib ..
|
|
@@ -37,13 +37,10 @@ import java.security.MessageDigest;
|
|
import java.security.Provider;
|
|
import java.util.Arrays;
|
|
import java.util.Random;
|
|
+import java.util.List;
|
|
|
|
public class TestCloning extends PKCS11Test {
|
|
|
|
- private static final String[] ALGOS = {
|
|
- "MD2", "MD5", "SHA1", "SHA-224", "SHA-256", "SHA-384", "SHA-512"
|
|
- };
|
|
-
|
|
public static void main(String[] args) throws Exception {
|
|
main(new TestCloning(), args);
|
|
}
|
|
@@ -51,44 +48,28 @@ public class TestCloning extends PKCS11Test {
|
|
private static final byte[] data1 = new byte[10];
|
|
private static final byte[] data2 = new byte[10*1024];
|
|
|
|
-
|
|
@Override
|
|
public void main(Provider p) throws Exception {
|
|
+ List<String> ALGS = getSupportedAlgorithms("MessageDigest", "SHA", p);
|
|
Random r = new Random();
|
|
byte[] data1 = new byte[10];
|
|
byte[] data2 = new byte[2*1024];
|
|
r.nextBytes(data1);
|
|
r.nextBytes(data2);
|
|
System.out.println("Testing against provider " + p.getName());
|
|
- for (int i = 0; i < ALGOS.length; i++) {
|
|
- if (p.getService("MessageDigest", ALGOS[i]) == null) {
|
|
- System.out.println(ALGOS[i] + " is not supported, skipping");
|
|
- continue;
|
|
- } else {
|
|
- System.out.println("Testing " + ALGOS[i] + " of " + p.getName());
|
|
- MessageDigest md = MessageDigest.getInstance(ALGOS[i], p);
|
|
- try {
|
|
- md = testCloning(md, p);
|
|
- // repeat the test again after generating digest once
|
|
- for (int j = 0; j < 10; j++) {
|
|
- md = testCloning(md, p);
|
|
- }
|
|
- } catch (Exception ex) {
|
|
- if (ALGOS[i] == "MD2" &&
|
|
- p.getName().equalsIgnoreCase("SunPKCS11-NSS")) {
|
|
- // known bug in NSS; ignore for now
|
|
- System.out.println("Ignore Known bug in MD2 of NSS");
|
|
- continue;
|
|
- }
|
|
- throw ex;
|
|
- }
|
|
+ for (String alg : ALGS) {
|
|
+ System.out.println("Testing " + alg);
|
|
+ MessageDigest md = MessageDigest.getInstance(alg, p);
|
|
+ md = testCloning(md, p);
|
|
+ // repeat the test again after generating digest once
|
|
+ for (int j = 0; j < 10; j++) {
|
|
+ md = testCloning(md, p);
|
|
}
|
|
}
|
|
}
|
|
|
|
private static MessageDigest testCloning(MessageDigest mdObj, Provider p)
|
|
- throws Exception {
|
|
-
|
|
+ throws Exception {
|
|
// copy#0: clone at state BLANK w/o any data
|
|
MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
|
|
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
|
|
index 26eeacffed9..f5de994779c 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java
|
|
@@ -23,7 +23,7 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 4856966
|
|
+ * @bug 4856966 8242332
|
|
* @summary Test the Signature.update(ByteBuffer) method
|
|
* @author Andreas Sterbenz
|
|
* @library /test/lib ..
|
|
@@ -70,10 +70,10 @@ public class ByteBuffers extends PKCS11Test {
|
|
random.nextBytes(t);
|
|
|
|
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
|
|
- kpg.initialize(512);
|
|
+ kpg.initialize(2048);
|
|
KeyPair kp = kpg.generateKeyPair();
|
|
|
|
- Signature sig = Signature.getInstance("MD5withRSA", p);
|
|
+ Signature sig = Signature.getInstance("SHA256withRSA", p);
|
|
sig.initSign(kp.getPrivate());
|
|
sig.update(t);
|
|
byte[] signature = sig.sign();
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
|
|
index ccd66599fb0..a2fa7294977 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -25,7 +25,7 @@ import java.security.spec.*;
|
|
|
|
/**
|
|
* @test
|
|
- * @bug 8080462
|
|
+ * @bug 8080462 8242332
|
|
* @summary Make sure old state is cleared when init is called again
|
|
* @library /test/lib ..
|
|
* @modules jdk.crypto.cryptoki
|
|
@@ -38,18 +38,22 @@ public class InitAgainPSS extends PKCS11Test {
|
|
|
|
@Override
|
|
public void main(Provider p) throws Exception {
|
|
+ test("RSASSA-PSS", p);
|
|
+ }
|
|
+
|
|
+ private void test(String sigAlg, Provider p) throws Exception {
|
|
Signature s1;
|
|
try {
|
|
- s1 = Signature.getInstance("RSASSA-PSS", p);
|
|
+ s1 = Signature.getInstance(sigAlg, p);
|
|
} catch (NoSuchAlgorithmException e) {
|
|
- System.out.println("Skip testing RSASSA-PSS" +
|
|
+ System.out.println("Skip testing " + sigAlg +
|
|
" due to no support");
|
|
return;
|
|
}
|
|
|
|
byte[] msg = "hello".getBytes();
|
|
|
|
- Signature s2 = Signature.getInstance("RSASSA-PSS", p);
|
|
+ Signature s2 = Signature.getInstance(sigAlg, p);
|
|
|
|
PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1",
|
|
new MGF1ParameterSpec("SHA-256"), 32,
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
|
|
index 2e4fedbf1d5..f1c0492b5fc 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -26,7 +26,7 @@ import java.security.spec.*;
|
|
|
|
/**
|
|
* @test
|
|
- * @bug 8080462 8226651
|
|
+ * @bug 8080462 8226651 8242332
|
|
* @summary Ensure that PSS key and params check are implemented properly
|
|
* regardless of call sequence
|
|
* @library /test/lib ..
|
|
@@ -55,6 +55,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
|
|
" due to no support");
|
|
return;
|
|
}
|
|
+
|
|
// NOTE: key length >= (digest length + 2) in bytes
|
|
// otherwise, even salt length = 0 would not work
|
|
runTest(p, 1024, "SHA-256", "SHA-256");
|
|
@@ -66,10 +67,30 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
|
|
runTest(p, 1040, "SHA-512", "SHA-256");
|
|
runTest(p, 1040, "SHA-512", "SHA-384");
|
|
runTest(p, 1040, "SHA-512", "SHA-512");
|
|
+ runTest(p, 1024, "SHA3-256", "SHA3-256");
|
|
+ runTest(p, 1024, "SHA3-256", "SHA3-384");
|
|
+ runTest(p, 1024, "SHA3-256", "SHA3-512");
|
|
+ runTest(p, 1024, "SHA3-384", "SHA3-256");
|
|
+ runTest(p, 1024, "SHA3-384", "SHA3-384");
|
|
+ runTest(p, 1024, "SHA3-384", "SHA3-512");
|
|
+ runTest(p, 1040, "SHA3-512", "SHA3-256");
|
|
+ runTest(p, 1040, "SHA3-512", "SHA3-384");
|
|
+ runTest(p, 1040, "SHA3-512", "SHA3-512");
|
|
}
|
|
|
|
private void runTest(Provider p, int keySize, String hashAlg,
|
|
String mgfHashAlg) throws Exception {
|
|
+
|
|
+ // skip further test if this provider does not support hashAlg or
|
|
+ // mgfHashAlg
|
|
+ try {
|
|
+ MessageDigest.getInstance(hashAlg, p);
|
|
+ MessageDigest.getInstance(mgfHashAlg, p);
|
|
+ } catch (NoSuchAlgorithmException nsae) {
|
|
+ System.out.println("No support for " + hashAlg + ", skip");
|
|
+ return;
|
|
+ }
|
|
+
|
|
System.out.println("Testing [" + keySize + " " + hashAlg + "]");
|
|
|
|
// create a key pair with the supplied size
|
|
@@ -95,6 +116,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
|
|
} catch (InvalidKeyException ike) {
|
|
System.out.println("test#1: got expected IKE");
|
|
}
|
|
+
|
|
sig.setParameter(paramsGood);
|
|
sig.initSign(priv);
|
|
System.out.println("test#1: pass");
|
|
@@ -108,8 +130,10 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
|
|
} catch (InvalidKeyException ike) {
|
|
System.out.println("test#2: got expected IKE");
|
|
}
|
|
+
|
|
sig.setParameter(paramsGood);
|
|
sig.initVerify(pub);
|
|
+
|
|
System.out.println("test#2: pass");
|
|
|
|
// test#3 - initSign, then setParameter
|
|
@@ -121,6 +145,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
|
|
} catch (InvalidAlgorithmParameterException iape) {
|
|
System.out.println("test#3: got expected IAPE");
|
|
}
|
|
+
|
|
sig.setParameter(paramsGood);
|
|
System.out.println("test#3: pass");
|
|
|
|
@@ -133,6 +158,7 @@ public class KeyAndParamCheckForPSS extends PKCS11Test {
|
|
} catch (InvalidAlgorithmParameterException iape) {
|
|
System.out.println("test#4: got expected IAPE");
|
|
}
|
|
+
|
|
sig.setParameter(paramsGood);
|
|
System.out.println("test#4: pass");
|
|
}
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
|
|
index 42ca7fa203d..8c132ca7e4f 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java
|
|
@@ -23,312 +23,13 @@
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 4856966
|
|
+ * @bug 4856966 8242332
|
|
* @summary test that reinitializing Signatures works correctly
|
|
* @author Andreas Sterbenz
|
|
* @library /test/lib ..
|
|
* @key randomness
|
|
* @modules jdk.crypto.cryptoki
|
|
* @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
- * @run main ReinitSignature
|
|
*/
|
|
|
|
import java.security.KeyPair;
|
|
@@ -363,11 +64,11 @@ public class ReinitSignature extends PKCS11Test {
|
|
}
|
|
|
|
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
|
|
- kpg.initialize(512);
|
|
+ kpg.initialize(2048);
|
|
KeyPair kp = kpg.generateKeyPair();
|
|
PrivateKey privateKey = kp.getPrivate();
|
|
PublicKey publicKey = kp.getPublic();
|
|
- Signature sig = Signature.getInstance("MD5withRSA", p);
|
|
+ Signature sig = Signature.getInstance("SHA256withRSA", p);
|
|
byte[] data = new byte[10 * 1024];
|
|
new Random().nextBytes(data);
|
|
sig.initSign(privateKey);
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
|
|
index 3c3edb5aa6a..11147022771 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -27,7 +27,7 @@ import java.security.interfaces.*;
|
|
|
|
/*
|
|
* @test
|
|
- * @bug 8080462 8226651
|
|
+ * @bug 8080462 8226651 8242332
|
|
* @summary testing interoperability of PSS signatures of PKCS11 provider
|
|
* against SunRsaSign provider
|
|
* @library /test/lib ..
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
|
|
new file mode 100644
|
|
index 00000000000..b8ea9863327
|
|
--- /dev/null
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java
|
|
@@ -0,0 +1,98 @@
|
|
+/*
|
|
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
|
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
+ *
|
|
+ * This code is free software; you can redistribute it and/or modify it
|
|
+ * under the terms of the GNU General Public License version 2 only, as
|
|
+ * published by the Free Software Foundation.
|
|
+ *
|
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
|
+ * accompanied this code).
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License version
|
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
+ *
|
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
+ * or visit www.oracle.com if you need additional information or have any
|
|
+ * questions.
|
|
+ */
|
|
+
|
|
+import java.security.*;
|
|
+import java.security.spec.*;
|
|
+import java.security.interfaces.*;
|
|
+
|
|
+/*
|
|
+ * @test
|
|
+ * @bug 8080462 8226651 8242332
|
|
+ * @summary testing interoperability of PSS signatures of PKCS11 provider
|
|
+ * against SunRsaSign provider
|
|
+ * @library /test/lib ..
|
|
+ * @modules jdk.crypto.cryptoki
|
|
+ * @run main/othervm SigInteropPSS2
|
|
+ */
|
|
+public class SigInteropPSS2 extends PKCS11Test {
|
|
+
|
|
+ private static final byte[] MSG =
|
|
+ "Interoperability test between SunRsaSign and SunPKCS11".getBytes();
|
|
+
|
|
+ private static final String[] DIGESTS = {
|
|
+ "SHA224", "SHA256", "SHA384", "SHA512",
|
|
+ "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
|
|
+ };
|
|
+
|
|
+ public static void main(String[] args) throws Exception {
|
|
+ main(new SigInteropPSS2(), args);
|
|
+ }
|
|
+
|
|
+ @Override
|
|
+ public void main(Provider p) throws Exception {
|
|
+
|
|
+ Signature sigPkcs11;
|
|
+ Signature sigSunRsaSign =
|
|
+ Signature.getInstance("RSASSA-PSS", "SunRsaSign");
|
|
+
|
|
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
|
|
+ kpg.initialize(3072);
|
|
+ KeyPair kp = kpg.generateKeyPair();
|
|
+
|
|
+ for (String digest : DIGESTS) {
|
|
+ try {
|
|
+ sigPkcs11 = Signature.getInstance(digest + "withRSASSA-PSS", p);
|
|
+ } catch (NoSuchAlgorithmException e) {
|
|
+ System.out.println("Skip testing " + digest + "withRSASSA-PSS" +
|
|
+ " due to no support");
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ runTest(sigPkcs11, sigSunRsaSign, kp);
|
|
+ }
|
|
+ System.out.println("Test passed");
|
|
+ }
|
|
+
|
|
+ static void runTest(Signature signer, Signature verifier, KeyPair kp)
|
|
+ throws Exception {
|
|
+ System.out.println("\tSign: " + signer.getProvider().getName());
|
|
+ System.out.println("\tVerify: " + verifier.getProvider().getName());
|
|
+
|
|
+ signer.initSign(kp.getPrivate());
|
|
+ signer.update(MSG);
|
|
+ byte[] sigBytes = signer.sign();
|
|
+
|
|
+ AlgorithmParameters signParams = signer.getParameters();
|
|
+ verifier.setParameter(signParams.getParameterSpec
|
|
+ (PSSParameterSpec.class));
|
|
+ verifier.initVerify(kp.getPublic());
|
|
+
|
|
+ verifier.update(MSG);
|
|
+ boolean isValid = verifier.verify(sigBytes);
|
|
+ if (isValid) {
|
|
+ System.out.println("\tPSS Signature verified");
|
|
+ } else {
|
|
+ throw new RuntimeException("ERROR verifying PSS Signature");
|
|
+ }
|
|
+ }
|
|
+}
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
|
|
index 3a6dbe345e9..4c1f7284bbc 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -27,7 +27,7 @@ import java.util.stream.IntStream;
|
|
|
|
/**
|
|
* @test
|
|
- * @bug 8080462 8226651
|
|
+ * @bug 8080462 8226651 8242332
|
|
* @summary Generate a RSASSA-PSS signature and verify it using PKCS11 provider
|
|
* @library /test/lib ..
|
|
* @modules jdk.crypto.cryptoki
|
|
@@ -40,8 +40,10 @@ public class SignatureTestPSS extends PKCS11Test {
|
|
private static final String SIGALG = "RSASSA-PSS";
|
|
|
|
private static final int[] KEYSIZES = { 2048, 3072 };
|
|
- private static final String[] DIGESTS = { "SHA-224", "SHA-256",
|
|
- "SHA-384" , "SHA-512" };
|
|
+ private static final String[] DIGESTS = {
|
|
+ "SHA-224", "SHA-256", "SHA-384" , "SHA-512",
|
|
+ "SHA3-224", "SHA3-256", "SHA3-384" , "SHA3-512",
|
|
+ };
|
|
private Provider prov;
|
|
|
|
/**
|
|
@@ -115,7 +117,22 @@ public class SignatureTestPSS extends PKCS11Test {
|
|
throws NoSuchAlgorithmException, InvalidKeyException,
|
|
SignatureException, NoSuchProviderException,
|
|
InvalidAlgorithmParameterException {
|
|
- System.out.println("Testing against " + hash + " and MGF1_" + mgfHash);
|
|
+
|
|
+ String testName = hash + " and MGF1_" + mgfHash;
|
|
+ // only test RSASSA-PSS signature against the supplied hash/mgfHash
|
|
+ // if they are supported; otherwise PKCS11 library will throw
|
|
+ // CKR_MECHANISM_PARAM_INVALID at Signature.initXXX calls
|
|
+ try {
|
|
+ MessageDigest md = MessageDigest.getInstance(hash, prov);
|
|
+ if (!hash.equalsIgnoreCase(mgfHash)) {
|
|
+ md = MessageDigest.getInstance(mgfHash, prov);
|
|
+ }
|
|
+ } catch (NoSuchAlgorithmException nsae) {
|
|
+ System.out.println("Skip testing " + hash + "/" + mgfHash);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ System.out.println("Testing against " + testName);
|
|
Signature sig = Signature.getInstance(SIGALG, prov);
|
|
AlgorithmParameterSpec params = new PSSParameterSpec(
|
|
hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1);
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
|
|
new file mode 100644
|
|
index 00000000000..516b17972e5
|
|
--- /dev/null
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java
|
|
@@ -0,0 +1,140 @@
|
|
+/*
|
|
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
|
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
+ *
|
|
+ * This code is free software; you can redistribute it and/or modify it
|
|
+ * under the terms of the GNU General Public License version 2 only, as
|
|
+ * published by the Free Software Foundation.
|
|
+ *
|
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
|
+ * accompanied this code).
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License version
|
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
+ *
|
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
+ * or visit www.oracle.com if you need additional information or have any
|
|
+ * questions.
|
|
+ */
|
|
+import java.security.*;
|
|
+import java.security.interfaces.*;
|
|
+import java.security.spec.*;
|
|
+import java.util.stream.IntStream;
|
|
+
|
|
+/**
|
|
+ * @test
|
|
+ * @bug 8244154 8242332
|
|
+ * @summary Generate a <digest>withRSASSA-PSS signature and verify it using
|
|
+ * PKCS11 provider
|
|
+ * @library /test/lib ..
|
|
+ * @modules jdk.crypto.cryptoki
|
|
+ * @run main SignatureTestPSS2
|
|
+ */
|
|
+public class SignatureTestPSS2 extends PKCS11Test {
|
|
+
|
|
+ // PKCS11 does not support RSASSA-PSS keys yet
|
|
+ private static final String KEYALG = "RSA";
|
|
+ private static final String[] SIGALGS = {
|
|
+ "SHA224withRSASSA-PSS", "SHA256withRSASSA-PSS",
|
|
+ "SHA384withRSASSA-PSS", "SHA512withRSASSA-PSS",
|
|
+ "SHA3-224withRSASSA-PSS", "SHA3-256withRSASSA-PSS",
|
|
+ "SHA3-384withRSASSA-PSS", "SHA3-512withRSASSA-PSS"
|
|
+ };
|
|
+
|
|
+ private static final int[] KEYSIZES = { 2048, 3072 };
|
|
+
|
|
+ /**
|
|
+ * How much times signature updated.
|
|
+ */
|
|
+ private static final int UPDATE_TIMES = 2;
|
|
+
|
|
+ public static void main(String[] args) throws Exception {
|
|
+ main(new SignatureTestPSS2(), args);
|
|
+ }
|
|
+
|
|
+ @Override
|
|
+ public void main(Provider p) throws Exception {
|
|
+ for (String sa : SIGALGS) {
|
|
+ Signature sig;
|
|
+ try {
|
|
+ sig = Signature.getInstance(sa, p);
|
|
+ } catch (NoSuchAlgorithmException e) {
|
|
+ System.out.println("Skip testing " + sa +
|
|
+ " due to no support");
|
|
+ return;
|
|
+ }
|
|
+ for (int i : KEYSIZES) {
|
|
+ runTest(sig, i);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ private static void runTest(Signature s, int keySize) throws Exception {
|
|
+ byte[] data = new byte[100];
|
|
+ IntStream.range(0, data.length).forEach(j -> {
|
|
+ data[j] = (byte) j;
|
|
+ });
|
|
+ System.out.println("[KEYSIZE = " + keySize + "]");
|
|
+
|
|
+ // create a key pair
|
|
+ KeyPair kpair = generateKeys(KEYALG, keySize, s.getProvider());
|
|
+ test(s, kpair.getPrivate(), kpair.getPublic(), data);
|
|
+ }
|
|
+
|
|
+ private static void test(Signature sig, PrivateKey privKey,
|
|
+ PublicKey pubKey, byte[] data) throws RuntimeException {
|
|
+ // For signature algorithm, create and verify a signature
|
|
+ try {
|
|
+ checkSignature(sig, privKey, pubKey, data);
|
|
+ } catch (NoSuchAlgorithmException | InvalidKeyException |
|
|
+ SignatureException | NoSuchProviderException ex) {
|
|
+ throw new RuntimeException(ex);
|
|
+ } catch (InvalidAlgorithmParameterException ex2) {
|
|
+ System.out.println("Skip test due to " + ex2);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ private static KeyPair generateKeys(String keyalg, int size, Provider p)
|
|
+ throws NoSuchAlgorithmException {
|
|
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyalg, p);
|
|
+ kpg.initialize(size);
|
|
+ return kpg.generateKeyPair();
|
|
+ }
|
|
+
|
|
+ private static void checkSignature(Signature sig, PrivateKey priv,
|
|
+ PublicKey pub, byte[] data) throws NoSuchAlgorithmException,
|
|
+ InvalidKeyException, SignatureException, NoSuchProviderException,
|
|
+ InvalidAlgorithmParameterException {
|
|
+ System.out.println("Testing against " + sig.getAlgorithm());
|
|
+ sig.initSign(priv);
|
|
+ for (int i = 0; i < UPDATE_TIMES; i++) {
|
|
+ sig.update(data);
|
|
+ }
|
|
+ byte[] signedData = sig.sign();
|
|
+
|
|
+ // Make sure signature verifies with original data
|
|
+ // do we need to call sig.setParameter(params) again?
|
|
+ sig.initVerify(pub);
|
|
+ for (int i = 0; i < UPDATE_TIMES; i++) {
|
|
+ sig.update(data);
|
|
+ }
|
|
+ if (!sig.verify(signedData)) {
|
|
+ throw new RuntimeException("Failed to verify signature");
|
|
+ }
|
|
+
|
|
+ // Make sure signature does NOT verify when the original data
|
|
+ // has changed
|
|
+ sig.initVerify(pub);
|
|
+ for (int i = 0; i < UPDATE_TIMES + 1; i++) {
|
|
+ sig.update(data);
|
|
+ }
|
|
+
|
|
+ if (sig.verify(signedData)) {
|
|
+ throw new RuntimeException("Failed to detect bad signature");
|
|
+ }
|
|
+ }
|
|
+}
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
|
|
index 222f8a2a5ed..3161de6fc50 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
|
|
+ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
@@ -22,7 +22,7 @@
|
|
*/
|
|
/*
|
|
* @test
|
|
- * @bug 8080462
|
|
+ * @bug 8080462 8242332
|
|
* @library /test/lib ..
|
|
* @modules jdk.crypto.cryptoki
|
|
* @run main/othervm/timeout=250 TestDSA2
|
|
@@ -40,8 +40,12 @@ public class TestDSA2 extends PKCS11Test {
|
|
private static final String[] SIG_ALGOS = {
|
|
"SHA224withDSA",
|
|
"SHA256withDSA",
|
|
- //"SHA384withDSA",
|
|
- //"SHA512withDSA",
|
|
+ "SHA3-224withDSA",
|
|
+ "SHA3-256withDSA",
|
|
+ "SHA384withDSA",
|
|
+ "SHA512withDSA",
|
|
+ "SHA3-384withDSA",
|
|
+ "SHA3-512withDSA",
|
|
};
|
|
|
|
private static final int KEYSIZE = 2048;
|
|
@@ -59,25 +63,33 @@ public class TestDSA2 extends PKCS11Test {
|
|
kp = kpg.generateKeyPair();
|
|
} catch (Exception ex) {
|
|
System.out.println("Skip due to no 2048-bit DSA support: " + ex);
|
|
- ex.printStackTrace();
|
|
return;
|
|
}
|
|
|
|
+ boolean allPass = true;
|
|
for (String sigAlg : SIG_ALGOS) {
|
|
- test(sigAlg, kp, p);
|
|
+ System.out.println("Testing " + sigAlg);
|
|
+ try {
|
|
+ Signature sig = Signature.getInstance(sigAlg, p);
|
|
+ test(sig, kp, p);
|
|
+ } catch (NoSuchAlgorithmException nsae) {
|
|
+ System.out.println("=>Skip due to no support");
|
|
+ } catch (Exception ex) {
|
|
+ System.out.println("Unexpected exception when testing " +
|
|
+ sigAlg);
|
|
+ ex.printStackTrace();
|
|
+ allPass = false;
|
|
+ }
|
|
+ }
|
|
+ if (allPass) {
|
|
+ System.out.println("Tests Passed");
|
|
+ } else {
|
|
+ throw new RuntimeException("One or more tests failed");
|
|
}
|
|
}
|
|
|
|
- private static void test(String sigAlg, KeyPair kp, Provider p)
|
|
+ private static void test(Signature sig, KeyPair kp, Provider p)
|
|
throws Exception {
|
|
- Signature sig;
|
|
- try {
|
|
- sig = Signature.getInstance(sigAlg, p);
|
|
- } catch (Exception ex) {
|
|
- System.out.println("Skip due to no support: " + sigAlg);
|
|
- ex.printStackTrace();
|
|
- return;
|
|
- }
|
|
|
|
byte[] data = "anything will do".getBytes();
|
|
|
|
@@ -85,9 +97,10 @@ public class TestDSA2 extends PKCS11Test {
|
|
sig.update(data);
|
|
byte[] signature = sig.sign();
|
|
|
|
- sig.initVerify(kp.getPublic());
|
|
- sig.update(data);
|
|
- boolean verifies = sig.verify(signature);
|
|
- System.out.println(sigAlg + ": Passed");
|
|
+ Signature sigV = Signature.getInstance(sig.getAlgorithm() , p);
|
|
+ sigV.initVerify(kp.getPublic());
|
|
+ sigV.update(data);
|
|
+ boolean verifies = sigV.verify(signature);
|
|
+ System.out.println("=> Passed");
|
|
}
|
|
}
|
|
diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
|
|
index f469ca17b65..7e5a012a5ec 100644
|
|
--- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
|
|
+++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java
|
|
@@ -22,8 +22,8 @@
|
|
*/
|
|
|
|
/*
|
|
- * @test %W% %E%
|
|
- * @bug 6695485
|
|
+ * @test
|
|
+ * @bug 6695485 8242332
|
|
* @summary Make sure initSign/initVerify() check RSA key lengths
|
|
* @author Yu-Ching Valerie Peng
|
|
* @library /test/lib ..
|
|
@@ -65,9 +65,14 @@ public class TestRSAKeyLength extends PKCS11Test {
|
|
return;
|
|
}
|
|
|
|
- boolean isValidKeyLength[] = { true, true, true, false, false };
|
|
- String algos[] = { "SHA1withRSA", "SHA224withRSA", "SHA256withRSA",
|
|
- "SHA384withRSA", "SHA512withRSA" };
|
|
+ boolean isValidKeyLength[] = {
|
|
+ true, true, true, false, false, true, true, false, false
|
|
+ };
|
|
+ String algos[] = {
|
|
+ "SHA1withRSA", "SHA224withRSA", "SHA256withRSA",
|
|
+ "SHA384withRSA", "SHA512withRSA", "SHA3-224withRSA",
|
|
+ "SHA3-256withRSA", "SHA3-384withRSA", "SHA3-512withRSA"
|
|
+ };
|
|
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
|
|
kpg.initialize(512);
|
|
KeyPair kp = kpg.generateKeyPair();
|
|
diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
|
|
index 49778ea954c..576b1dc4d69 100644
|
|
--- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
|
|
+++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt
|
|
@@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib}
|
|
|
|
nssArgs = "configdir='${pkcs11test.nss.db}' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly"
|
|
|
|
-# HMAC_SHA256/384/512 broken until NSS 3.10.2
|
|
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=291858
|
|
disabledMechanisms = {
|
|
- CKM_SHA256_HMAC
|
|
- CKM_SHA384_HMAC
|
|
- CKM_SHA512_HMAC
|
|
+ CKM_DSA_SHA224
|
|
+ CKM_DSA_SHA256
|
|
+ CKM_DSA_SHA384
|
|
+ CKM_DSA_SHA512
|
|
+ CKM_DSA_SHA3_224
|
|
+ CKM_DSA_SHA3_256
|
|
+ CKM_DSA_SHA3_384
|
|
+ CKM_DSA_SHA3_512
|
|
+ CKM_ECDSA_SHA224
|
|
+ CKM_ECDSA_SHA256
|
|
+ CKM_ECDSA_SHA384
|
|
+ CKM_ECDSA_SHA512
|
|
+ CKM_ECDSA_SHA3_224
|
|
+ CKM_ECDSA_SHA3_256
|
|
+ CKM_ECDSA_SHA3_384
|
|
+ CKM_ECDSA_SHA3_512
|
|
}
|
|
|
|
attributes = compatibility
|