jdk-sandbox: comparison src/java.base/share/classes/sun/security/rsa/RSAKeyFactory.java

equal deleted inserted replaced

-:92cbbfc996f3
+:56aaa6cb3693
 /*
-* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 import java.security.*;
 import java.security.interfaces.*;
 import java.security.spec.*;
 import sun.security.action.GetPropertyAction;
+import sun.security.x509.AlgorithmId;
+import static sun.security.rsa.RSAUtil.KeyType;
 /**
-* KeyFactory for RSA keys. Keys must be instances of PublicKey or PrivateKey
+* KeyFactory for RSA keys, e.g. "RSA", "RSASSA-PSS".
-* and getAlgorithm() must return "RSA". For such keys, it supports conversion
+* Keys must be instances of PublicKey or PrivateKey
+* and getAlgorithm() must return a value which matches the type which are
+* specified during construction time of the KeyFactory object.
+* For such keys, it supports conversion
 * between the following:
 *
 * For public keys:
 *  . PublicKey with an X.509 encoding
 *  . RSAPublicKey
 * Note: as always, RSA keys should be at least 512 bits long
 *
 * @since   1.5
 * @author  Andreas Sterbenz
 */
-public final class RSAKeyFactory extends KeyFactorySpi {
+public class RSAKeyFactory extends KeyFactorySpi {
-private static final Class<?> rsaPublicKeySpecClass =
+private static final Class<?> RSA_PUB_KEYSPEC_CLS = RSAPublicKeySpec.class;
-RSAPublicKeySpec.class;
+private static final Class<?> RSA_PRIV_KEYSPEC_CLS =
-private static final Class<?> rsaPrivateKeySpecClass =
+RSAPrivateKeySpec.class;
-RSAPrivateKeySpec.class;
+private static final Class<?> RSA_PRIVCRT_KEYSPEC_CLS =
-private static final Class<?> rsaPrivateCrtKeySpecClass =
+RSAPrivateCrtKeySpec.class;
-RSAPrivateCrtKeySpec.class;
+private static final Class<?> X509_KEYSPEC_CLS = X509EncodedKeySpec.class;
+private static final Class<?> PKCS8_KEYSPEC_CLS = PKCS8EncodedKeySpec.class;
-private static final Class<?> x509KeySpecClass  = X509EncodedKeySpec.class;
-private static final Class<?> pkcs8KeySpecClass = PKCS8EncodedKeySpec.class;
 public static final int MIN_MODLEN = 512;
 public static final int MAX_MODLEN = 16384;
+private final KeyType type;
 /*
 * If the modulus length is above this value, restrict the size of
 * the exponent to something that can be reasonably computed.  We
 * could simply hardcode the exp len to something like 64 bits, but
 private static final boolean restrictExpLen =
 "true".equalsIgnoreCase(GetPropertyAction.privilegedGetProperty(
 "sun.security.rsa.restrictRSAExponent", "true"));
-// instance used for static translateKey();
+static RSAKeyFactory getInstance(KeyType type) {
-private static final RSAKeyFactory INSTANCE = new RSAKeyFactory();
+return new RSAKeyFactory(type);
+}
-public RSAKeyFactory() {
-// empty
+// Internal utility method for checking key algorithm
+private static void checkKeyAlgo(Key key, String expectedAlg)
+throws InvalidKeyException {
+String keyAlg = key.getAlgorithm();
+if (!(keyAlg.equalsIgnoreCase(expectedAlg))) {
+throw new InvalidKeyException("Expected a " + expectedAlg
++ " key, but got " + keyAlg);
+}
 }
 /**
 * Static method to convert Key into an instance of RSAPublicKeyImpl
 * or RSAPrivate(Crt)KeyImpl. If the key is not an RSA key or cannot be
 if ((key instanceof RSAPrivateKeyImpl) ||
 (key instanceof RSAPrivateCrtKeyImpl) ||
 (key instanceof RSAPublicKeyImpl)) {
 return (RSAKey)key;
 } else {
-return (RSAKey)INSTANCE.engineTranslateKey(key);
+try {
+String keyAlgo = key.getAlgorithm();
+KeyType type = KeyType.lookup(keyAlgo);
+RSAKeyFactory kf = RSAKeyFactory.getInstance(type);
+return (RSAKey) kf.engineTranslateKey(key);
+} catch (ProviderException e) {
+throw new InvalidKeyException(e);
+}
 }
 }
 /*
 * Single test entry point for all of the mechanisms in the SunRsaSign
 " if modulus is greater than " +
 MAX_MODLEN_RESTRICT_EXP + " bits");
 }
 }
+// disallowed as KeyType is required
+private RSAKeyFactory() {
+this.type = KeyType.RSA;
+}
+public RSAKeyFactory(KeyType type) {
+this.type = type;
+}
 /**
 * Translate an RSA key into a SunRsaSign RSA key. If conversion is
 * not possible, throw an InvalidKeyException.
 * See also JCA doc.
 */
 protected Key engineTranslateKey(Key key) throws InvalidKeyException {
 if (key == null) {
 throw new InvalidKeyException("Key must not be null");
 }
-String keyAlg = key.getAlgorithm();
+// ensure the key algorithm matches the current KeyFactory instance
-if (keyAlg.equals("RSA") == false) {
+checkKeyAlgo(key, type.keyAlgo());
-throw new InvalidKeyException("Not an RSA key: " + keyAlg);
+// no translation needed if the key is already our own impl
+if ((key instanceof RSAPrivateKeyImpl) ||
+(key instanceof RSAPrivateCrtKeyImpl) ||
+(key instanceof RSAPublicKeyImpl)) {
+return key;
 }
 if (key instanceof PublicKey) {
 return translatePublicKey((PublicKey)key);
 } else if (key instanceof PrivateKey) {
 return translatePrivateKey((PrivateKey)key);
 // internal implementation of translateKey() for public keys. See JCA doc
 private PublicKey translatePublicKey(PublicKey key)
 throws InvalidKeyException {
 if (key instanceof RSAPublicKey) {
-if (key instanceof RSAPublicKeyImpl) {
-return key;
-}
 RSAPublicKey rsaKey = (RSAPublicKey)key;
 try {
 return new RSAPublicKeyImpl(
+RSAUtil.createAlgorithmId(type, rsaKey.getParams()),
 rsaKey.getModulus(),
-rsaKey.getPublicExponent()
+rsaKey.getPublicExponent());
-);
+} catch (ProviderException e) {
-} catch (RuntimeException e) {
 // catch providers that incorrectly implement RSAPublicKey
 throw new InvalidKeyException("Invalid key", e);
 }
 } else if ("X.509".equals(key.getFormat())) {
 byte[] encoded = key.getEncoded();
-return new RSAPublicKeyImpl(encoded);
+RSAPublicKey translated = new RSAPublicKeyImpl(encoded);
+// ensure the key algorithm matches the current KeyFactory instance
+checkKeyAlgo(translated, type.keyAlgo());
+return translated;
 } else {
 throw new InvalidKeyException("Public keys must be instance "
 + "of RSAPublicKey or have X.509 encoding");
 }
 }
 // internal implementation of translateKey() for private keys. See JCA doc
 private PrivateKey translatePrivateKey(PrivateKey key)
 throws InvalidKeyException {
 if (key instanceof RSAPrivateCrtKey) {
-if (key instanceof RSAPrivateCrtKeyImpl) {
-return key;
-}
 RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
 try {
 return new RSAPrivateCrtKeyImpl(
+RSAUtil.createAlgorithmId(type, rsaKey.getParams()),
 rsaKey.getModulus(),
 rsaKey.getPublicExponent(),
 rsaKey.getPrivateExponent(),
 rsaKey.getPrimeP(),
 rsaKey.getPrimeQ(),
 rsaKey.getPrimeExponentP(),
 rsaKey.getPrimeExponentQ(),
 rsaKey.getCrtCoefficient()
 );
-} catch (RuntimeException e) {
+} catch (ProviderException e) {
 // catch providers that incorrectly implement RSAPrivateCrtKey
 throw new InvalidKeyException("Invalid key", e);
 }
 } else if (key instanceof RSAPrivateKey) {
-if (key instanceof RSAPrivateKeyImpl) {
-return key;
-}
 RSAPrivateKey rsaKey = (RSAPrivateKey)key;
 try {
 return new RSAPrivateKeyImpl(
+RSAUtil.createAlgorithmId(type, rsaKey.getParams()),
 rsaKey.getModulus(),
 rsaKey.getPrivateExponent()
 );
-} catch (RuntimeException e) {
+} catch (ProviderException e) {
 // catch providers that incorrectly implement RSAPrivateKey
 throw new InvalidKeyException("Invalid key", e);
 }
 } else if ("PKCS#8".equals(key.getFormat())) {
 byte[] encoded = key.getEncoded();
-return RSAPrivateCrtKeyImpl.newKey(encoded);
+RSAPrivateKey translated = RSAPrivateCrtKeyImpl.newKey(encoded);
+// ensure the key algorithm matches the current KeyFactory instance
+checkKeyAlgo(translated, type.keyAlgo());
+return translated;
 } else {
 throw new InvalidKeyException("Private keys must be instance "
 + "of RSAPrivate(Crt)Key or have PKCS#8 encoding");
 }
 }
 // internal implementation of generatePublic. See JCA doc
 private PublicKey generatePublic(KeySpec keySpec)
 throws GeneralSecurityException {
 if (keySpec instanceof X509EncodedKeySpec) {
 X509EncodedKeySpec x509Spec = (X509EncodedKeySpec)keySpec;
-return new RSAPublicKeyImpl(x509Spec.getEncoded());
+RSAPublicKey generated = new RSAPublicKeyImpl(x509Spec.getEncoded());
+// ensure the key algorithm matches the current KeyFactory instance
+checkKeyAlgo(generated, type.keyAlgo());
+return generated;
 } else if (keySpec instanceof RSAPublicKeySpec) {
 RSAPublicKeySpec rsaSpec = (RSAPublicKeySpec)keySpec;
-return new RSAPublicKeyImpl(
+try {
-rsaSpec.getModulus(),
+return new RSAPublicKeyImpl(
-rsaSpec.getPublicExponent()
+RSAUtil.createAlgorithmId(type, rsaSpec.getParams()),
-);
+rsaSpec.getModulus(),
+rsaSpec.getPublicExponent()
+);
+} catch (ProviderException e) {
+throw new InvalidKeySpecException(e);
+}
 } else {
 throw new InvalidKeySpecException("Only RSAPublicKeySpec "
 + "and X509EncodedKeySpec supported for RSA public keys");
 }
 }
 // internal implementation of generatePrivate. See JCA doc
 private PrivateKey generatePrivate(KeySpec keySpec)
 throws GeneralSecurityException {
 if (keySpec instanceof PKCS8EncodedKeySpec) {
 PKCS8EncodedKeySpec pkcsSpec = (PKCS8EncodedKeySpec)keySpec;
-return RSAPrivateCrtKeyImpl.newKey(pkcsSpec.getEncoded());
+RSAPrivateKey generated = RSAPrivateCrtKeyImpl.newKey(pkcsSpec.getEncoded());
+// ensure the key algorithm matches the current KeyFactory instance
+checkKeyAlgo(generated, type.keyAlgo());
+return generated;
 } else if (keySpec instanceof RSAPrivateCrtKeySpec) {
 RSAPrivateCrtKeySpec rsaSpec = (RSAPrivateCrtKeySpec)keySpec;
-return new RSAPrivateCrtKeyImpl(
+try {
-rsaSpec.getModulus(),
+return new RSAPrivateCrtKeyImpl(
-rsaSpec.getPublicExponent(),
+RSAUtil.createAlgorithmId(type, rsaSpec.getParams()),
-rsaSpec.getPrivateExponent(),
+rsaSpec.getModulus(),
-rsaSpec.getPrimeP(),
+rsaSpec.getPublicExponent(),
-rsaSpec.getPrimeQ(),
+rsaSpec.getPrivateExponent(),
-rsaSpec.getPrimeExponentP(),
+rsaSpec.getPrimeP(),
-rsaSpec.getPrimeExponentQ(),
+rsaSpec.getPrimeQ(),
-rsaSpec.getCrtCoefficient()
+rsaSpec.getPrimeExponentP(),
-);
+rsaSpec.getPrimeExponentQ(),
+rsaSpec.getCrtCoefficient()
+);
+} catch (ProviderException e) {
+throw new InvalidKeySpecException(e);
+}
 } else if (keySpec instanceof RSAPrivateKeySpec) {
 RSAPrivateKeySpec rsaSpec = (RSAPrivateKeySpec)keySpec;
-return new RSAPrivateKeyImpl(
+try {
-rsaSpec.getModulus(),
+return new RSAPrivateKeyImpl(
-rsaSpec.getPrivateExponent()
+RSAUtil.createAlgorithmId(type, rsaSpec.getParams()),
-);
+rsaSpec.getModulus(),
+rsaSpec.getPrivateExponent()
+);
+} catch (ProviderException e) {
+throw new InvalidKeySpecException(e);
+}
 } else {
 throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec "
 + "and PKCS8EncodedKeySpec supported for RSA private keys");
 }
 }
 } catch (InvalidKeyException e) {
 throw new InvalidKeySpecException(e);
 }
 if (key instanceof RSAPublicKey) {
 RSAPublicKey rsaKey = (RSAPublicKey)key;
-if (rsaPublicKeySpecClass.isAssignableFrom(keySpec)) {
+if (RSA_PUB_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
 return keySpec.cast(new RSAPublicKeySpec(
 rsaKey.getModulus(),
-rsaKey.getPublicExponent()
+rsaKey.getPublicExponent(),
+rsaKey.getParams()
 ));
-} else if (x509KeySpecClass.isAssignableFrom(keySpec)) {
+} else if (X509_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
 return keySpec.cast(new X509EncodedKeySpec(key.getEncoded()));
 } else {
 throw new InvalidKeySpecException
 ("KeySpec must be RSAPublicKeySpec or "
 + "X509EncodedKeySpec for RSA public keys");
 }
 } else if (key instanceof RSAPrivateKey) {
-if (pkcs8KeySpecClass.isAssignableFrom(keySpec)) {
+if (PKCS8_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
 return keySpec.cast(new PKCS8EncodedKeySpec(key.getEncoded()));
-} else if (rsaPrivateCrtKeySpecClass.isAssignableFrom(keySpec)) {
+} else if (RSA_PRIVCRT_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
 if (key instanceof RSAPrivateCrtKey) {
 RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)key;
 return keySpec.cast(new RSAPrivateCrtKeySpec(
 crtKey.getModulus(),
 crtKey.getPublicExponent(),
 crtKey.getPrivateExponent(),
 crtKey.getPrimeP(),
 crtKey.getPrimeQ(),
 crtKey.getPrimeExponentP(),
 crtKey.getPrimeExponentQ(),
-crtKey.getCrtCoefficient()
+crtKey.getCrtCoefficient(),
+crtKey.getParams()
 ));
 } else {
 throw new InvalidKeySpecException
 ("RSAPrivateCrtKeySpec can only be used with CRT keys");
 }
-} else if (rsaPrivateKeySpecClass.isAssignableFrom(keySpec)) {
+} else if (RSA_PRIV_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
 RSAPrivateKey rsaKey = (RSAPrivateKey)key;
 return keySpec.cast(new RSAPrivateKeySpec(
 rsaKey.getModulus(),
-rsaKey.getPrivateExponent()
+rsaKey.getPrivateExponent(),
+rsaKey.getParams()
 ));
 } else {
 throw new InvalidKeySpecException
 ("KeySpec must be RSAPrivate(Crt)KeySpec or "
 + "PKCS8EncodedKeySpec for RSA private keys");
 } else {
 // should not occur, caught in engineTranslateKey()
 throw new InvalidKeySpecException("Neither public nor private key");
 }
 }
+public static final class Legacy extends RSAKeyFactory {
+public Legacy() {
+super(KeyType.RSA);
+}
+}
+public static final class PSS extends RSAKeyFactory {
+public PSS() {
+super(KeyType.PSS);
+}
+}
 }

branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 47216	71c04702a3d5
child 56592	b1902b22005e