jdk-sandbox: comparison src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java

equal deleted inserted replaced

-:13588c901957
+:9cf78a70fa4f
 /*
-* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 public final class SunPKCS11 extends AuthProvider {
 private static final long serialVersionUID = -1354835039035306505L;
 static final Debug debug = Debug.getInstance("sunpkcs11");
 // the PKCS11 object through which we make the native calls
 final PKCS11 p11;
 // configuration information
 final Config config;
 String P11DHKeyFactory     = "sun.security.pkcs11.P11DHKeyFactory";
 String P11KeyAgreement     = "sun.security.pkcs11.P11KeyAgreement";
 String P11SecretKeyFactory = "sun.security.pkcs11.P11SecretKeyFactory";
 String P11Cipher           = "sun.security.pkcs11.P11Cipher";
 String P11RSACipher        = "sun.security.pkcs11.P11RSACipher";
+String P11AEADCipher       = "sun.security.pkcs11.P11AEADCipher";
 String P11Signature        = "sun.security.pkcs11.P11Signature";
+String P11PSSSignature     = "sun.security.pkcs11.P11PSSSignature";
 // XXX register all aliases
 d(MD, "MD2",            P11Digest,
 m(CKM_MD2));
 s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"),
 m(CKM_SHA384));
 d(MD, "SHA-512",        P11Digest,
 s("2.16.840.1.101.3.4.2.3", "OID.2.16.840.1.101.3.4.2.3"),
 m(CKM_SHA512));
+d(MD, "SHA-512/224",        P11Digest,
+s("2.16.840.1.101.3.4.2.5", "OID.2.16.840.1.101.3.4.2.5"),
+m(CKM_SHA512_224));
+d(MD, "SHA-512/256",        P11Digest,
+s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"),
+m(CKM_SHA512_256));
 d(MAC, "HmacMD5",       P11MAC,
 m(CKM_MD5_HMAC));
 d(MAC, "HmacSHA1",      P11MAC,
 s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"),
 s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"),
 m(CKM_SHA384_HMAC));
 d(MAC, "HmacSHA512",    P11MAC,
 s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
 m(CKM_SHA512_HMAC));
+d(MAC, "HmacSHA512/224",    P11MAC,
+s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"),
+m(CKM_SHA512_224_HMAC));
+d(MAC, "HmacSHA512/256",    P11MAC,
+s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
+m(CKM_SHA512_256_HMAC));
 d(MAC, "SslMacMD5",     P11MAC,
 m(CKM_SSL3_MD5_MAC));
 d(MAC, "SslMacSHA1",    P11MAC,
 m(CKM_SSL3_SHA1_MAC));
 d(KPG, "RSA",           P11KeyPairGenerator,
+s("1.2.840.113549.1.1", "OID.1.2.840.113549.1.1"),
 m(CKM_RSA_PKCS_KEY_PAIR_GEN));
 d(KPG, "DSA",           P11KeyPairGenerator,
 s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"),
 m(CKM_DSA_KEY_PAIR_GEN));
 d(KPG, "DH",            P11KeyPairGenerator,    s("DiffieHellman"),
 m(CKM_DH_PKCS_KEY_PAIR_GEN));
 m(CKM_BLOWFISH_KEY_GEN));
 // register (Secret)KeyFactories if there are any mechanisms
 // for a particular algorithm that we support
 d(KF, "RSA",            P11RSAKeyFactory,
+s("1.2.840.113549.1.1", "OID.1.2.840.113549.1.1"),
 m(CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_X_509));
 d(KF, "DSA",            P11DSAKeyFactory,
 s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"),
 m(CKM_DSA_KEY_PAIR_GEN, CKM_DSA, CKM_DSA_SHA1));
 d(KF, "DH",             P11DHKeyFactory,        s("DiffieHellman"),
 CKM_ECDSA, CKM_ECDSA_SHA1));
 // AlgorithmParameters for EC.
 // Only needed until we have an EC implementation in the SUN provider.
 d(AGP, "EC",            "sun.security.util.ECParameters",
 s("1.2.840.10045.2.1"),
 m(CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE,
 CKM_ECDSA, CKM_ECDSA_SHA1));
+d(AGP, "GCM",            "sun.security.util.GCMParameters",
+m(CKM_AES_GCM));
 d(KA, "DH",             P11KeyAgreement,        s("DiffieHellman"),
 m(CKM_DH_PKCS_DERIVE));
 d(KA, "ECDH",           "sun.security.pkcs11.P11ECDHKeyAgreement",
 m(CKM_ECDH1_DERIVE));
 m(CKM_AES_ECB));
 d(CIP, "AES/ECB/PKCS5Padding",          P11Cipher,      s("AES"),
 m(CKM_AES_ECB));
 d(CIP, "AES/CTR/NoPadding",             P11Cipher,
 m(CKM_AES_CTR));
+d(CIP, "AES/GCM/NoPadding",             P11AEADCipher,
+m(CKM_AES_GCM));
+d(CIP, "AES_128/GCM/NoPadding",          P11AEADCipher,
+s("2.16.840.1.101.3.4.1.6", "OID.2.16.840.1.101.3.4.1.6"),
+m(CKM_AES_GCM));
+d(CIP, "AES_192/GCM/NoPadding",          P11AEADCipher,
+s("2.16.840.1.101.3.4.1.26", "OID.2.16.840.1.101.3.4.1.26"),
+m(CKM_AES_GCM));
+d(CIP, "AES_256/GCM/NoPadding",          P11AEADCipher,
+s("2.16.840.1.101.3.4.1.46", "OID.2.16.840.1.101.3.4.1.46"),
+m(CKM_AES_GCM));
 d(CIP, "Blowfish/CBC/NoPadding",        P11Cipher,
 m(CKM_BLOWFISH_CBC));
 d(CIP, "Blowfish/CBC/PKCS5Padding",     P11Cipher,
 m(CKM_BLOWFISH_CBC));
-// XXX RSA_X_509, RSA_OAEP not yet supported
 d(CIP, "RSA/ECB/PKCS1Padding",          P11RSACipher,   s("RSA"),
 m(CKM_RSA_PKCS));
 d(CIP, "RSA/ECB/NoPadding",             P11RSACipher,
 m(CKM_RSA_X_509));
 m(CKM_DSA));
 d(SIG, "DSA",           P11Signature,
 s("SHA1withDSA", "1.3.14.3.2.13", "1.3.14.3.2.27",
 "1.2.840.10040.4.3", "OID.1.2.840.10040.4.3"),
 m(CKM_DSA_SHA1, CKM_DSA));
+d(SIG, "SHA224withDSA", P11Signature,
+s("2.16.840.1.101.3.4.3.1", "OID.2.16.840.1.101.3.4.3.1"),
+m(CKM_DSA_SHA224));
+d(SIG, "SHA256withDSA", P11Signature,
+s("2.16.840.1.101.3.4.3.2", "OID.2.16.840.1.101.3.4.3.2"),
+m(CKM_DSA_SHA256));
+d(SIG, "SHA384withDSA", P11Signature,
+s("2.16.840.1.101.3.4.3.3", "OID.2.16.840.1.101.3.4.3.3"),
+m(CKM_DSA_SHA384));
+d(SIG, "SHA512withDSA", P11Signature,
+s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"),
+m(CKM_DSA_SHA512));
 d(SIG, "RawDSAinP1363Format",   P11Signature,
 s("NONEwithDSAinP1363Format"),
 m(CKM_DSA));
 d(SIG, "DSAinP1363Format",      P11Signature,
 s("SHA1withDSAinP1363Format"),
 m(CKM_DSA_SHA1, CKM_DSA));
 d(SIG, "NONEwithECDSA", P11Signature,
 m(CKM_ECDSA));
 d(SIG, "SHA1withECDSA", P11Signature,
 s("ECDSA", "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1"),
 m(CKM_ECDSA_SHA1, CKM_ECDSA));
 s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"),
 m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
 d(SIG, "SHA512withRSA", P11Signature,
 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+d(SIG, "RSASSA-PSS", P11PSSSignature,
+s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"),
+m(CKM_RSA_PKCS_PSS));
+d(SIG, "SHA1withRSASSA-PSS", P11PSSSignature,
+m(CKM_SHA1_RSA_PKCS_PSS));
+d(SIG, "SHA224withRSASSA-PSS", P11PSSSignature,
+m(CKM_SHA224_RSA_PKCS_PSS));
+d(SIG, "SHA256withRSASSA-PSS", P11PSSSignature,
+m(CKM_SHA256_RSA_PKCS_PSS));
+d(SIG, "SHA384withRSASSA-PSS", P11PSSSignature,
+m(CKM_SHA384_RSA_PKCS_PSS));
+d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature,
+m(CKM_SHA512_RSA_PKCS_PSS));
 d(KG, "SunTlsRsaPremasterSecret",
 "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
 s("SunTls12RsaPremasterSecret"),
 m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN));
 }
 });
 createPoller();
 }
+private static boolean isLegacy(CK_MECHANISM_INFO mechInfo)
+throws PKCS11Exception {
+// assume full support if no mech info available
+// For vendor-specific mechanisms, often no mech info is provided
+boolean partialSupport = false;
+if (mechInfo != null) {
+if ((mechInfo.flags & CKF_DECRYPT) != 0) {
+// non-legacy cipher mechs should support encryption
+partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0);
+}
+if ((mechInfo.flags & CKF_VERIFY) != 0) {
+// non-legacy signature mechs should support signing
+partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0);
+}
+}
+return partialSupport;
+}
 // test if a token is present and initialize this provider for it if so.
 // does nothing if no token is found
 // called from constructor and by poller
 private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
 if (slotInfo == null) {
 // could be mapped to CKM_DES_CBC_PAD or CKM_DES_CBC.  Prefer
 // the earliest entry.  When asked for "DES/CBC/PKCS5Padding", we
 // return a CKM_DES_CBC_PAD.
 final Map<Descriptor,Integer> supportedAlgs =
 new HashMap<Descriptor,Integer>();
 for (int i = 0; i < supportedMechanisms.length; i++) {
 long longMech = supportedMechanisms[i];
-boolean isEnabled = config.isEnabled(longMech);
+CK_MECHANISM_INFO mechInfo = token.getMechanismInfo(longMech);
 if (showInfo) {
-CK_MECHANISM_INFO mechInfo =
-p11.C_GetMechanismInfo(slotID, longMech);
 System.out.println("Mechanism " +
 Functions.getMechanismName(longMech) + ":");
-if (isEnabled == false) {
+System.out.println(mechInfo == null?
+(Constants.INDENT + "info n/a") :
+mechInfo);
+}
+if (!config.isEnabled(longMech)) {
+if (showInfo) {
 System.out.println("DISABLED in configuration");
 }
-System.out.println(mechInfo);
-}
-if (isEnabled == false) {
 continue;
 }
+if (isLegacy(mechInfo)) {
+if (showInfo) {
+System.out.println("DISABLED due to legacy");
+}
+continue;
+}
 // we do not know of mechs with the upper 32 bits set
 if (longMech >>> 32 != 0) {
+if (showInfo) {
+System.out.println("DISABLED due to unknown mech value");
+}
 continue;
 }
 int mech = (int)longMech;
 Integer integerMech = Integer.valueOf(mech);
 List<Descriptor> ds = descriptors.get(integerMech);
 if (type == MD) {
 return new P11Digest(token, algorithm, mechanism);
 } else if (type == CIP) {
 if (algorithm.startsWith("RSA")) {
 return new P11RSACipher(token, algorithm, mechanism);
+} else if (algorithm.endsWith("GCM/NoPadding")) {
+return new P11AEADCipher(token, algorithm, mechanism);
 } else {
 return new P11Cipher(token, algorithm, mechanism);
 }
 } else if (type == SIG) {
-return new P11Signature(token, algorithm, mechanism);
+if (algorithm.indexOf("RSASSA-PSS") != -1) {
+return new P11PSSSignature(token, algorithm, mechanism);
+} else {
+return new P11Signature(token, algorithm, mechanism);
+}
 } else if (type == MAC) {
 return new P11Mac(token, algorithm, mechanism);
 } else if (type == KPG) {
 return new P11KeyPairGenerator(token, algorithm, mechanism);
 } else if (type == KA) {
 } else if (type == SR) {
 return token.getRandom();
 } else if (type == KS) {
 return token.getKeyStore();
 } else if (type == AGP) {
-return new sun.security.util.ECParameters();
+if (algorithm == "EC") {
+return new sun.security.util.ECParameters();
+} else if (algorithm == "GCM") {
+return new sun.security.util.GCMParameters();
+} else {
+throw new NoSuchAlgorithmException("Unsupported algorithm: "
++ algorithm);
+}
 } else {
 throw new NoSuchAlgorithmException("Unknown type: " + type);
 }
 }
 String type = getType();
 Key key = (Key)param;
 String keyAlgorithm = key.getAlgorithm();
 // RSA signatures and cipher
 if (((type == CIP) && algorithm.startsWith("RSA"))
-|| (type == SIG) && algorithm.endsWith("RSA")) {
+|| (type == SIG) && (algorithm.indexOf("RSA") != -1)) {
 if (keyAlgorithm.equals("RSA") == false) {
 return false;
 }
 return isLocalKey(key)
 || (key instanceof RSAPrivateKey)

branch	datagramsocketimpl-branch
changeset 58678	9cf78a70fa4f
parent 51800	bccd9966f1ed
child 58679	9c3209ff7550