jdk-sandbox: comparison src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java

equal deleted inserted replaced

-:a627f88bed3a
+:5984d1c9d03d
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
 import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidParameterSpecException;
 import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.*;
 import java.security.AlgorithmParameters;
 private static final String[] KEY_PROTECTION_ALGORITHM = {
 "keystore.pkcs12.keyProtectionAlgorithm",
 "keystore.PKCS12.keyProtectionAlgorithm"
 };
+private static final int MAX_ITERATION_COUNT = 5000000;
+private static final int PBE_ITERATION_COUNT = 50000; // default
+private static final int MAC_ITERATION_COUNT = 100000; // default
+private static final int SALT_LEN = 20;
 // friendlyName, localKeyId, trustedKeyUsage
 private static final String[] CORE_ATTRIBUTES = {
 "1.2.840.113549.1.9.20",
 "1.2.840.113549.1.9.21",
 "2.16.840.1.113894.746875.1.1"
 private static ObjectIdentifier pbes2_OID;
 private static ObjectIdentifier TrustedKeyUsage_OID;
 private static ObjectIdentifier[] AnyUsage;
 private int counter = 0;
-private static final int iterationCount = 1024;
-private static final int SALT_LEN = 20;
 // private key count
 // Note: This is a workaround to allow null localKeyID attribute
 // in pkcs12 with one private key entry and associated cert-chain
 private int privateKeyCount = 0;
 }
 byte[] encryptedKey;
 AlgorithmParameters algParams;
 ObjectIdentifier algOid;
 try {
 // get the encrypted private key
 EncryptedPrivateKeyInfo encrInfo =
 new EncryptedPrivateKeyInfo(encrBytes);
 encryptedKey = encrInfo.getEncryptedData();
 + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe);
 uke.initCause(ioe);
 throw uke;
 }
 try {
+PBEParameterSpec pbeSpec;
+int ic = 0;
+if (algParams != null) {
+try {
+pbeSpec =
+algParams.getParameterSpec(PBEParameterSpec.class);
+} catch (InvalidParameterSpecException ipse) {
+throw new IOException("Invalid PBE algorithm parameters");
+}
+ic = pbeSpec.getIterationCount();
+if (ic > MAX_ITERATION_COUNT) {
+throw new IOException("PBE iteration count too large");
+}
+}
 byte[] keyInfo;
 while (true) {
 try {
 // Use JCE
 SecretKey skey = getPBEKey(password);
 KeyFactory kfac = KeyFactory.getInstance(keyAlgo);
 PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(keyInfo);
 key = kfac.generatePrivate(kspec);
 if (debug != null) {
-debug.println("Retrieved a protected private key (" +
+debug.println("Retrieved a protected private key at alias" +
-key.getClass().getName() + ") at alias '" + alias +
+" '" + alias + "' (" +
-"'");
+new AlgorithmId(algOid).getName() +
+" iterations: " + ic + ")");
 }
 // decode secret key
 } else {
 byte[] keyBytes = in.getOctetString();
 } else {
 key = secretKeySpec;
 }
 if (debug != null) {
-debug.println("Retrieved a protected secret key (" +
+debug.println("Retrieved a protected secret key at alias " +
-key.getClass().getName() + ") at alias '" + alias +
+"'" + alias + "' (" +
-"'");
+new AlgorithmId(algOid).getName() +
+" iterations: " + ic + ")");
 }
 }
 } catch (Exception e) {
 UnrecoverableKeyException uke =
 new UnrecoverableKeyException("Get Key failed: " +
 if ((key.getFormat().equals("PKCS#8")) ||
 (key.getFormat().equals("PKCS8"))) {
 if (debug != null) {
-debug.println("Setting a protected private key (" +
+debug.println(
-key.getClass().getName() + ") at alias '" + alias +
+"Setting a protected private key at alias '" +
-"'");
+alias + "'");
 }
 // Encrypt the private key
 keyEntry.protectedPrivKey =
 encryptPrivateKey(key.getEncoded(), passwordProtection);
 // Encrypt the secret key (using same PBE as for private keys)
 keyEntry.protectedSecretKey =
 encryptPrivateKey(pkcs8.toByteArray(), passwordProtection);
 if (debug != null) {
-debug.println("Setting a protected secret key (" +
+debug.println("Setting a protected secret key at alias '" +
-key.getClass().getName() + ") at alias '" + alias +
+alias + "'");
-"'");
 }
 secretKeyCount++;
 entry = keyEntry;
 } else {
 }
 /*
 * Generate PBE Algorithm Parameters
 */
-private AlgorithmParameters getAlgorithmParameters(String algorithm)
+private AlgorithmParameters getPBEAlgorithmParameters(String algorithm)
 throws IOException
 {
 AlgorithmParameters algParams = null;
 // create PBE parameters from salt and iteration count
 PBEParameterSpec paramSpec =
-new PBEParameterSpec(getSalt(), iterationCount);
+new PBEParameterSpec(getSalt(), PBE_ITERATION_COUNT);
 try {
 algParams = AlgorithmParameters.getInstance(algorithm);
 algParams.init(paramSpec);
 } catch (Exception e) {
-throw new IOException("getAlgorithmParameters failed: " +
+throw new IOException("getPBEAlgorithmParameters failed: " +
 e.getMessage(), e);
 }
 return algParams;
 }
 passwordProtection.getProtectionParameters();
 if (algParamSpec != null) {
 algParams = AlgorithmParameters.getInstance(algorithm);
 algParams.init(algParamSpec);
 } else {
-algParams = getAlgorithmParameters(algorithm);
+algParams = getPBEAlgorithmParameters(algorithm);
 }
 } else {
 // Check default key protection algorithm for PKCS12 keystores
 algorithm = AccessController.doPrivileged(
 new PrivilegedAction<String>() {
 }
 });
 if (algorithm == null || algorithm.isEmpty()) {
 algorithm = "PBEWithSHA1AndDESede";
 }
-algParams = getAlgorithmParameters(algorithm);
+algParams = getPBEAlgorithmParameters(algorithm);
 }
 ObjectIdentifier pbeOID = mapPBEAlgorithmToOID(algorithm);
 if (pbeOID == null) {
 throw new IOException("PBE algorithm '" + algorithm +
 // -- create safeContent Data ContentInfo
 if (privateKeyCount > 0 || secretKeyCount > 0) {
 if (debug != null) {
 debug.println("Storing " + (privateKeyCount + secretKeyCount) +
-" protected key(s) in a PKCS#7 data content-type");
+" protected key(s) in a PKCS#7 data");
 }
 byte[] safeContentData = createSafeContent();
 ContentInfo dataContentInfo = new ContentInfo(safeContentData);
 dataContentInfo.encode(authSafeContentInfo);
 // -- create EncryptedContentInfo
 if (certificateCount > 0) {
 if (debug != null) {
 debug.println("Storing " + certificateCount +
-" certificate(s) in a PKCS#7 encryptedData content-type");
+" certificate(s) in a PKCS#7 encryptedData");
 }
 byte[] encrData = createEncryptedData(password);
 ContentInfo encrContentInfo =
 new ContentInfo(ContentInfo.ENCRYPTED_DATA_OID,
 byte[] salt = getSalt();
 // generate MAC (MAC key is generated within JCE)
 Mac m = Mac.getInstance("HmacPBESHA1");
 PBEParameterSpec params =
-new PBEParameterSpec(salt, iterationCount);
+new PBEParameterSpec(salt, MAC_ITERATION_COUNT);
 SecretKey key = getPBEKey(passwd);
 m.init(key, params);
 m.update(data);
 byte[] macResult = m.doFinal();
 // encode as MacData
 MacData macData = new MacData(algName, macResult, salt,
-iterationCount);
+MAC_ITERATION_COUNT);
 DerOutputStream bytes = new DerOutputStream();
 bytes.write(macData.getEncoded());
 mData = bytes.toByteArray();
 } catch (Exception e) {
 throw new IOException("calculateMac failed: " + e, e);
 byte[] encryptedData = null;
 // create AlgorithmParameters
 AlgorithmParameters algParams =
-getAlgorithmParameters("PBEWithSHA1AndRC2_40");
+getPBEAlgorithmParameters("PBEWithSHA1AndRC2_40");
 DerOutputStream bytes = new DerOutputStream();
 AlgorithmId algId =
 new AlgorithmId(pbeWithSHAAnd40BitRC2CBC_OID, algParams);
 algId.encode(bytes);
 byte[] encodedAlgId = bytes.toByteArray();
 contentType = safeContents.getContentType();
 safeContentsData = null;
 if (contentType.equals(ContentInfo.DATA_OID)) {
 if (debug != null) {
-debug.println("Loading PKCS#7 data content-type");
+debug.println("Loading PKCS#7 data");
 }
 safeContentsData = safeContents.getData();
 } else if (contentType.equals(ContentInfo.ENCRYPTED_DATA_OID)) {
 if (password == null) {
 if (debug != null) {
 debug.println("Warning: skipping PKCS#7 encryptedData" +
-" content-type - no password was supplied");
+" - no password was supplied");
 }
 continue;
-}
-if (debug != null) {
-debug.println("Loading PKCS#7 encryptedData content-type");
 }
 DerInputStream edi =
 safeContents.getContent().toDerInputStream();
 int edVersion = edi.getInteger();
 // parse Algorithm parameters
 DerInputStream in = seq[1].toDerInputStream();
 ObjectIdentifier algOid = in.getOID();
 AlgorithmParameters algParams = parseAlgParameters(algOid, in);
+PBEParameterSpec pbeSpec;
+int ic = 0;
+if (algParams != null) {
+try {
+pbeSpec =
+algParams.getParameterSpec(PBEParameterSpec.class);
+} catch (InvalidParameterSpecException ipse) {
+throw new IOException(
+"Invalid PBE algorithm parameters");
+}
+ic = pbeSpec.getIterationCount();
+if (ic > MAX_ITERATION_COUNT) {
+throw new IOException("PBE iteration count too large");
+}
+}
+if (debug != null) {
+debug.println("Loading PKCS#7 encryptedData " +
+"(" + new AlgorithmId(algOid).getName() +
+" iterations: " + ic + ")");
+}
 while (true) {
 try {
 // Use JCE
 SecretKey skey = getPBEKey(password);
 loadSafeContents(sc, password);
 }
 // The MacData is optional.
 if (password != null && s.available() > 0) {
 MacData macData = new MacData(s);
-try {
+int ic = macData.getIterations();
+try {
+if (ic > MAX_ITERATION_COUNT) {
+throw new InvalidAlgorithmParameterException(
+"MAC iteration count too large: " + ic);
+}
 String algName =
 macData.getDigestAlgName().toUpperCase(Locale.ENGLISH);
 // Change SHA-1 to SHA1
 algName = algName.replace("-", "");
 // generate MAC (MAC key is created within JCE)
 Mac m = Mac.getInstance("HmacPBE" + algName);
 PBEParameterSpec params =
-new PBEParameterSpec(macData.getSalt(),
+new PBEParameterSpec(macData.getSalt(), ic);
-macData.getIterations());
 SecretKey key = getPBEKey(password);
 m.init(key, params);
 m.update(authSafeData);
 byte[] macResult = m.doFinal();
 if (debug != null) {
 debug.println("Checking keystore integrity " +
-"(MAC algorithm: " + m.getAlgorithm() + ")");
+"(" + m.getAlgorithm() + " iterations: " + ic + ")");
 }
 if (!MessageDigest.isEqual(macData.getDigest(), macResult)) {
 throw new UnrecoverableKeyException("Failed PKCS12" +
 " integrity checking");
 }
 } catch (Exception e) {
 throw new IOException("Integrity check failed: " + e, e);
 }
 }
 /*
 * Match up private keys with certificate chains.
 */

changeset 47417	5984d1c9d03d
parent 47216	71c04702a3d5
child 50778	bba1deda9216