--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Fri Jun 22 07:49:27 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Fri Jun 22 15:37:46 2018 -0700
@@ -76,8 +76,8 @@
byte[] temproary = null;
String algorithm = x509Possession.popPrivateKey.getAlgorithm();
try {
- Signature signer = getSignature(algorithm);
- signer.initSign(x509Possession.popPrivateKey);
+ Signature signer =
+ getSignature(algorithm, x509Possession.popPrivateKey);
byte[] hashes = chc.handshakeHash.digest(algorithm,
chc.handshakeSession.getMasterSecret());
signer.update(hashes);
@@ -134,8 +134,8 @@
String algorithm = x509Credentials.popPublicKey.getAlgorithm();
try {
- Signature signer = getSignature(algorithm);
- signer.initVerify(x509Credentials.popPublicKey);
+ Signature signer =
+ getSignature(algorithm, x509Credentials.popPublicKey);
byte[] hashes = shc.handshakeHash.digest(algorithm,
shc.handshakeSession.getMasterSecret());
signer.update(hashes);
@@ -191,19 +191,33 @@
* Get the Signature object appropriate for verification using the
* given signature algorithm.
*/
- private static Signature getSignature(
- String algorithm) throws GeneralSecurityException {
+ private static Signature getSignature(String algorithm,
+ Key key) throws GeneralSecurityException {
+ Signature signer = null;
switch (algorithm) {
case "RSA":
- return JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ break;
case "DSA":
- return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ break;
case "EC":
- return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ break;
default:
throw new SignatureException("Unrecognized algorithm: "
+ algorithm);
}
+
+ if (signer != null) {
+ if (key instanceof PublicKey) {
+ signer.initVerify((PublicKey)(key));
+ } else {
+ signer.initSign((PrivateKey)key);
+ }
+ }
+
+ return signer;
}
}
@@ -307,8 +321,8 @@
byte[] temproary = null;
String algorithm = x509Possession.popPrivateKey.getAlgorithm();
try {
- Signature signer = getSignature(algorithm);
- signer.initSign(x509Possession.popPrivateKey);
+ Signature signer =
+ getSignature(algorithm, x509Possession.popPrivateKey);
byte[] hashes = chc.handshakeHash.digest(algorithm);
signer.update(hashes);
temproary = signer.sign();
@@ -364,8 +378,8 @@
String algorithm = x509Credentials.popPublicKey.getAlgorithm();
try {
- Signature signer = getSignature(algorithm);
- signer.initVerify(x509Credentials.popPublicKey);
+ Signature signer =
+ getSignature(algorithm, x509Credentials.popPublicKey);
byte[] hashes = shc.handshakeHash.digest(algorithm);
signer.update(hashes);
if (!signer.verify(signature)) {
@@ -420,19 +434,33 @@
* Get the Signature object appropriate for verification using the
* given signature algorithm.
*/
- private static Signature getSignature(
- String algorithm) throws GeneralSecurityException {
+ private static Signature getSignature(String algorithm,
+ Key key) throws GeneralSecurityException {
+ Signature signer = null;
switch (algorithm) {
case "RSA":
- return JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+ break;
case "DSA":
- return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+ break;
case "EC":
- return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+ break;
default:
throw new SignatureException("Unrecognized algorithm: "
+ algorithm);
}
+
+ if (signer != null) {
+ if (key instanceof PublicKey) {
+ signer.initVerify((PublicKey)(key));
+ } else {
+ signer.initSign((PrivateKey)key);
+ }
+ }
+
+ return signer;
}
}
@@ -548,8 +576,8 @@
byte[] temproary = null;
try {
- Signature signer = signatureScheme.getSignature();
- signer.initSign(x509Possession.popPrivateKey);
+ Signature signer =
+ signatureScheme.getSignature(x509Possession.popPrivateKey);
signer.update(chc.handshakeHash.archived());
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
@@ -617,8 +645,8 @@
// opaque signature<0..2^16-1>;
this.signature = Record.getBytes16(m);
try {
- Signature signer = signatureScheme.getSignature();
- signer.initVerify(x509Credentials.popPublicKey);
+ Signature signer =
+ signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(shc.handshakeHash.archived());
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
@@ -863,8 +891,8 @@
byte[] temproary = null;
try {
- Signature signer = signatureScheme.getSignature();
- signer.initSign(x509Possession.popPrivateKey);
+ Signature signer =
+ signatureScheme.getSignature(x509Possession.popPrivateKey);
signer.update(contentCovered);
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
@@ -943,8 +971,8 @@
}
try {
- Signature signer = signatureScheme.getSignature();
- signer.initVerify(x509Credentials.popPublicKey);
+ Signature signer =
+ signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(contentCovered);
if (!signer.verify(signature)) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Fri Jun 22 07:49:27 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Fri Jun 22 15:37:46 2018 -0700
@@ -32,10 +32,12 @@
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidKeySpecException;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.interfaces.DHPublicKey;
@@ -175,7 +177,7 @@
boolean doExtraValiadtion =
(!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
boolean isRecovering = false;
- for (int i = 0; i <= 2; i++) { // Try to recove from failure.
+ for (int i = 0; i <= 2; i++) { // Try to recover from failure.
KeyPair kp = kpg.generateKeyPair();
// validate the Diffie-Hellman public key
if (doExtraValiadtion) {
@@ -187,6 +189,7 @@
throw ivke;
}
// otherwise, ignore the exception and try again
+ isRecovering = true;
continue;
}
}
@@ -207,8 +210,9 @@
try {
KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
return factory.getKeySpec(key, DHPublicKeySpec.class);
- } catch (Exception e) {
- throw new RuntimeException(e);
+ } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+ // unlikely
+ throw new RuntimeException("Unable to get DHPublicKeySpec", e);
}
}
--- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Fri Jun 22 07:49:27 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Fri Jun 22 15:37:46 2018 -0700
@@ -32,8 +32,11 @@
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
+import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.text.MessageFormat;
@@ -66,9 +69,9 @@
private static final
class DHServerKeyExchangeMessage extends HandshakeMessage {
// public key encapsulated in this message
- private byte[] p; // 1 to 2^16 - 1 bytes
- private byte[] g; // 1 to 2^16 - 1 bytes
- private byte[] y; // 1 to 2^16 - 1 bytes
+ private final byte[] p; // 1 to 2^16 - 1 bytes
+ private final byte[] g; // 1 to 2^16 - 1 bytes
+ private final byte[] y; // 1 to 2^16 - 1 bytes
// the signature algorithm used by this ServerKeyExchange message
private final boolean useExplicitSigAlgorithm;
@@ -133,8 +136,9 @@
"No preferred signature algorithm");
}
try {
- signer = signatureScheme.getSignature();
- } catch (NoSuchAlgorithmException |
+ signer = signatureScheme.getSignature(
+ x509Possession.popPrivateKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
@@ -144,8 +148,9 @@
signatureScheme = null;
try {
signer = getSignature(
- x509Possession.popPrivateKey.getAlgorithm());
- } catch (NoSuchAlgorithmException e) {
+ x509Possession.popPrivateKey.getAlgorithm(),
+ x509Possession.popPrivateKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException e) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
@@ -154,11 +159,10 @@
byte[] signature = null;
try {
- signer.initSign(x509Possession.popPrivateKey);
updateSignature(signer, shc.clientHelloRandom.randomBytes,
shc.serverHelloRandom.randomBytes);
signature = signer.sign();
- } catch (InvalidKeyException | SignatureException ex) {
+ } catch (SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign dhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
@@ -237,8 +241,9 @@
Signature signer;
if (useExplicitSigAlgorithm) {
try {
- signer = signatureScheme.getSignature();
- } catch (NoSuchAlgorithmException |
+ signer = signatureScheme.getSignature(
+ x509Credentials.popPublicKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
@@ -249,8 +254,9 @@
} else {
try {
signer = getSignature(
- x509Credentials.popPublicKey.getAlgorithm());
- } catch (NoSuchAlgorithmException e) {
+ x509Credentials.popPublicKey.getAlgorithm(),
+ x509Credentials.popPublicKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException e) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
@@ -260,7 +266,6 @@
}
try {
- signer.initVerify(x509Credentials.popPublicKey);
updateSignature(signer,
chc.clientHelloRandom.randomBytes,
chc.serverHelloRandom.randomBytes);
@@ -269,7 +274,7 @@
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature on DH ServerKeyExchange message");
}
- } catch (InvalidKeyException | SignatureException ex) {
+ } catch (SignatureException ex) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify DH ServerKeyExchange signature", ex);
}
@@ -414,17 +419,30 @@
}
}
- private static Signature getSignature(String keyAlgorithm)
- throws NoSuchAlgorithmException {
+ private static Signature getSignature(String keyAlgorithm,
+ Key key) throws NoSuchAlgorithmException, InvalidKeyException {
+ Signature signer = null;
switch (keyAlgorithm) {
case "DSA":
- return JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
+ break;
case "RSA":
- return RSASignature.getInstance();
+ signer = RSASignature.getInstance();
+ break;
default:
throw new NoSuchAlgorithmException(
"neither an RSA or a DSA key : " + keyAlgorithm);
}
+
+ if (signer != null) {
+ if (key instanceof PublicKey) {
+ signer.initVerify((PublicKey)(key));
+ } else {
+ signer.initSign((PrivateKey)key);
+ }
+ }
+
+ return signer;
}
/*
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Fri Jun 22 07:49:27 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Fri Jun 22 15:37:46 2018 -0700
@@ -30,8 +30,11 @@
import java.security.CryptoPrimitive;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
+import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPublicKey;
@@ -149,8 +152,9 @@
" key");
}
try {
- signer = signatureScheme.getSignature();
- } catch (NoSuchAlgorithmException |
+ signer = signatureScheme.getSignature(
+ x509Possession.popPrivateKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
@@ -160,8 +164,9 @@
signatureScheme = null;
try {
signer = getSignature(
- x509Possession.popPrivateKey.getAlgorithm());
- } catch (NoSuchAlgorithmException e) {
+ x509Possession.popPrivateKey.getAlgorithm(),
+ x509Possession.popPrivateKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException e) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
@@ -170,12 +175,11 @@
byte[] signature = null;
try {
- signer.initSign(x509Possession.popPrivateKey);
updateSignature(signer, shc.clientHelloRandom.randomBytes,
shc.serverHelloRandom.randomBytes,
namedGroup.id, publicPoint);
signature = signer.sign();
- } catch (InvalidKeyException | SignatureException ex) {
+ } catch (SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ecdhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
@@ -291,8 +295,9 @@
Signature signer;
if (useExplicitSigAlgorithm) {
try {
- signer = signatureScheme.getSignature();
- } catch (NoSuchAlgorithmException |
+ signer = signatureScheme.getSignature(
+ x509Credentials.popPublicKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
@@ -303,8 +308,9 @@
} else {
try {
signer = getSignature(
- x509Credentials.popPublicKey.getAlgorithm());
- } catch (NoSuchAlgorithmException e) {
+ x509Credentials.popPublicKey.getAlgorithm(),
+ x509Credentials.popPublicKey);
+ } catch (NoSuchAlgorithmException | InvalidKeyException e) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
@@ -314,7 +320,6 @@
}
try {
- signer.initVerify(x509Credentials.popPublicKey);
updateSignature(signer,
chc.clientHelloRandom.randomBytes,
chc.serverHelloRandom.randomBytes,
@@ -324,7 +329,7 @@
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid ECDH ServerKeyExchange signature");
}
- } catch (InvalidKeyException | SignatureException ex) {
+ } catch (SignatureException ex) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify ECDH ServerKeyExchange signature", ex);
}
@@ -440,17 +445,30 @@
}
}
- private static Signature getSignature(String keyAlgorithm)
- throws NoSuchAlgorithmException {
+ private static Signature getSignature(String keyAlgorithm,
+ Key key) throws NoSuchAlgorithmException, InvalidKeyException {
+ Signature signer = null;
switch (keyAlgorithm) {
case "EC":
- return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
+ signer = JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
+ break;
case "RSA":
- return RSASignature.getInstance();
+ signer = RSASignature.getInstance();
+ break;
default:
throw new NoSuchAlgorithmException(
"neither an RSA or a EC key : " + keyAlgorithm);
}
+
+ if (signer != null) {
+ if (key instanceof PublicKey) {
+ signer.initVerify((PublicKey)(key));
+ } else {
+ signer.initSign((PrivateKey)key);
+ }
+ }
+
+ return signer;
}
private static void updateSignature(Signature sig,
--- a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java Fri Jun 22 07:49:27 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java Fri Jun 22 15:37:46 2018 -0700
@@ -105,7 +105,7 @@
// RSASSA-PKCS1-v1_5 algorithms
RSA_PKCS1_SHA256 (0x0401, "rsa_pkcs1_sha256", "SHA256withRSA",
- "RSA", null, null, 512,
+ "RSA", null, null, 511,
ProtocolVersion.PROTOCOLS_TO_13,
ProtocolVersion.PROTOCOLS_TO_12),
RSA_PKCS1_SHA384 (0x0501, "rsa_pkcs1_sha384", "SHA384withRSA",
@@ -119,29 +119,29 @@
// Legacy algorithms
DSA_SHA256 (0x0402, "dsa_sha256", "SHA256withDSA",
- "dsa",
+ "DSA",
ProtocolVersion.PROTOCOLS_TO_12),
ECDSA_SHA224 (0x0303, "ecdsa_sha224", "SHA224withECDSA",
"EC",
ProtocolVersion.PROTOCOLS_TO_12),
RSA_SHA224 (0x0301, "rsa_sha224", "SHA224withRSA",
- "rsa", 768,
+ "RSA", 511,
ProtocolVersion.PROTOCOLS_TO_12),
DSA_SHA224 (0x0302, "dsa_sha224", "SHA224withDSA",
- "dsa",
+ "DSA",
ProtocolVersion.PROTOCOLS_TO_12),
ECDSA_SHA1 (0x0203, "ecdsa_sha1", "SHA1withECDSA",
"EC",
ProtocolVersion.PROTOCOLS_TO_13),
RSA_PKCS1_SHA1 (0x0201, "rsa_pkcs1_sha1", "SHA1withRSA",
- "rsa", null, null, 512,
+ "RSA", null, null, 511,
ProtocolVersion.PROTOCOLS_TO_13,
ProtocolVersion.PROTOCOLS_TO_12),
DSA_SHA1 (0x0202, "dsa_sha1", "SHA1withDSA",
- "dsa",
+ "DSA",
ProtocolVersion.PROTOCOLS_TO_12),
RSA_MD5 (0x0101, "rsa_md5", "MD5withRSA",
- "rsa", 512,
+ "RSA", 511,
ProtocolVersion.PROTOCOLS_TO_12);
final int id; // hash + signature
@@ -158,6 +158,8 @@
// sense to use the strong hash algorithm for keys whose key size less
// than 512 bits. So it is not necessary to calculate the minimal
// required key size exactly for a hash algorithm.
+ //
+ // Note that some provider may use 511 bits for 512-bit strength RSA keys.
final int minimalKeySize;
final List<ProtocolVersion> supportedProtocols;
@@ -458,13 +460,22 @@
return new String[0];
}
- Signature getSignature() throws NoSuchAlgorithmException,
- InvalidAlgorithmParameterException {
+ Signature getSignature(Key key) throws NoSuchAlgorithmException,
+ InvalidAlgorithmParameterException, InvalidKeyException {
if (!isAvailable) {
return null;
}
Signature signer = JsseJce.getSignature(algorithm);
+ if (key instanceof PublicKey) {
+ signer.initVerify((PublicKey)(key));
+ } else {
+ signer.initSign((PrivateKey)key);
+ }
+
+ // Important note: Please don't set the parameters before signature
+ // or verification initialization, so that the crypto provider can
+ // be selected properly.
if (signAlgParameter != null) {
signer.setParameter(signAlgParameter);
}
--- a/test/jdk/ProblemList.txt Fri Jun 22 07:49:27 2018 -0700
+++ b/test/jdk/ProblemList.txt Fri Jun 22 15:37:46 2018 -0700
@@ -692,9 +692,6 @@
sun/security/pkcs11/tls/TestPRF.java 8204203 windows-all
sun/security/pkcs11/tls/TestPremaster.java 8204203 windows-all
-sun/security/mscapi/ShortRSAKeyWithinTLS.java 8204979 windows-all
-sun/security/pkcs11/KeyStore/ClientAuth.sh 8204983 generic-all
-
############################################################################
# jdk_sound
--- a/test/jdk/sun/security/pkcs11/KeyStore/ClientAuth.java Fri Jun 22 07:49:27 2018 -0700
+++ b/test/jdk/sun/security/pkcs11/KeyStore/ClientAuth.java Fri Jun 22 15:37:46 2018 -0700
@@ -197,6 +197,9 @@
}
public static void main(String[] args) throws Exception {
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
// Get the customized arguments.
parseArguments(args);
main(new ClientAuth());