7181214: Need specify SKF translateKey(SecurityKey) method requires instance of PBEKey for PBKDF2 algorithms

Valerie Peng · Valerie Peng · commit 6dc4d891c3ad · 2022-11-23T18:49:35.000Z
Reviewed-by: xuelei, weijun
diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2Core.java b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2Core.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -63,11 +63,11 @@ abstract class PBKDF2Core extends SecretKeyFactorySpi {
     protected SecretKey engineGenerateSecret(KeySpec keySpec)
         throws InvalidKeySpecException
     {
-        if (!(keySpec instanceof PBEKeySpec)) {
-            throw new InvalidKeySpecException("Invalid key spec");
+        if (keySpec instanceof PBEKeySpec ks) {
+            return new PBKDF2KeyImpl(ks, prfAlgo);
+        } else {
+            throw new InvalidKeySpecException("Only PBEKeySpec is accepted");
         }
-        PBEKeySpec ks = (PBEKeySpec) keySpec;
-        return new PBKDF2KeyImpl(ks, prfAlgo);
     }
 
     /**
@@ -89,12 +89,10 @@ protected SecretKey engineGenerateSecret(KeySpec keySpec)
      */
     protected KeySpec engineGetKeySpec(SecretKey key, Class<?> keySpecCl)
         throws InvalidKeySpecException {
-        if (key instanceof javax.crypto.interfaces.PBEKey) {
+        if (key instanceof javax.crypto.interfaces.PBEKey pKey) {
             // Check if requested key spec is amongst the valid ones
             if ((keySpecCl != null)
                     && keySpecCl.isAssignableFrom(PBEKeySpec.class)) {
-                javax.crypto.interfaces.PBEKey pKey =
-                    (javax.crypto.interfaces.PBEKey) key;
                 char[] passwd = pKey.getPassword();
                 byte[] encoded = pKey.getEncoded();
                 try {
@@ -107,11 +105,11 @@ protected KeySpec engineGetKeySpec(SecretKey key, Class<?> keySpecCl)
                     Arrays.fill(encoded, (byte)0);
                 }
             } else {
-                throw new InvalidKeySpecException("Invalid key spec");
+                throw new InvalidKeySpecException
+                        ("Only PBEKeySpec is accepted");
             }
         } else {
-            throw new InvalidKeySpecException("Invalid key " +
-                                               "format/algorithm");
+            throw new InvalidKeySpecException("Only PBEKey is accepted");
         }
     }
 
@@ -138,9 +136,7 @@ protected SecretKey engineTranslateKey(SecretKey key)
                 return key;
             }
             // Check if key implements the PBEKey
-            if (key instanceof javax.crypto.interfaces.PBEKey) {
-                javax.crypto.interfaces.PBEKey pKey =
-                    (javax.crypto.interfaces.PBEKey) key;
+            if (key instanceof javax.crypto.interfaces.PBEKey pKey) {
                 char[] password = pKey.getPassword();
                 byte[] encoding = pKey.getEncoded();
                 PBEKeySpec spec =
@@ -160,9 +156,12 @@ protected SecretKey engineTranslateKey(SecretKey key)
                     }
                     Arrays.fill(encoding, (byte)0);
                 }
+            } else {
+                throw new InvalidKeyException("Only PBEKey is accepted");
             }
         }
-        throw new InvalidKeyException("Invalid key format/algorithm");
+        throw new InvalidKeyException("Only PBKDF2With" + prfAlgo +
+                " key with RAW format is accepted");
     }
 
     public static final class HmacSHA1 extends PBKDF2Core {
diff --git a/test/jdk/com/sun/crypto/provider/Cipher/PBE/PBKDF2Translate.java b/test/jdk/com/sun/crypto/provider/Cipher/PBE/PBKDF2Translate.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.interfaces.PBEKey;
 import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
 
 /**
  * @test
@@ -68,7 +69,8 @@ public static void main(String[] args) throws Exception {
             try {
                 if (!theTest.testMyOwnSecretKey()
                         || !theTest.generateAndTranslateKey()
-                        || !theTest.translateSpoiledKey()) {
+                        || !theTest.translateSpoiledKey()
+                        || !theTest.testGeneralSecretKey()) {
                     // we don't want to set failed to false
                     failed = true;
                 }
@@ -188,6 +190,45 @@ public boolean translateSpoiledKey() throws NoSuchAlgorithmException,
         return false;
     }
 
+    /**
+     * The test case scenario implemented in the method: - create a general
+     * secret key (does not implement PBEKey) - try calling
+     * translate and getKeySpec methods and see if the expected
+     * InvalidKeyException and InvalidKeySpecException is thrown.
+     *
+     * @return true if the expected Exception occurred; false - otherwise
+     * @throws NoSuchAlgorithmException
+     */
+    public boolean testGeneralSecretKey() throws NoSuchAlgorithmException {
+        SecretKey key = new SecretKeySpec("random#s".getBytes(), algoToTest);
+        SecretKeyFactory skf = SecretKeyFactory.getInstance(algoToTest);
+        try {
+            skf.translateKey(key);
+            System.out.println("Error: expected IKE not thrown");
+            return false;
+        } catch (InvalidKeyException e) {
+            if (e.getMessage().indexOf("PBEKey") == -1) {
+                System.out.println("Error: IKE message should " +
+                        "indicate that PBEKey is required");
+                return false;
+            }
+        }
+
+        try {
+            skf.getKeySpec(key, PBEKeySpec.class);
+            System.out.println("Error: expected IKSE not thrown");
+            return false;
+        } catch (InvalidKeySpecException e) {
+            if (e.getMessage().indexOf("PBEKey") == -1) {
+                System.out.println("Error: IKSE message should " +
+                        "indicate that PBEKey is required");
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Generate a PBKDF2 secret key using given algorithm.
      *

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.`
	`2`	`+ * Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.`
`3`	`3`	`* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.`
`4`	`4`	`*`
`5`	`5`	`* This code is free software; you can redistribute it and/or modify it`
`@@ -63,11 +63,11 @@ abstract class PBKDF2Core extends SecretKeyFactorySpi {`
`63`	`63`	`protected SecretKey engineGenerateSecret(KeySpec keySpec)`
`64`	`64`	`throws InvalidKeySpecException`
`65`	`65`	`{`
`66`		`- if (!(keySpec instanceof PBEKeySpec)) {`
`67`		`- throw new InvalidKeySpecException("Invalid key spec");`
	`66`	`+ if (keySpec instanceof PBEKeySpec ks) {`
	`67`	`+ return new PBKDF2KeyImpl(ks, prfAlgo);`
	`68`	`+ } else {`
	`69`	`+ throw new InvalidKeySpecException("Only PBEKeySpec is accepted");`
`68`	`70`	`}`
`69`		`- PBEKeySpec ks = (PBEKeySpec) keySpec;`
`70`		`- return new PBKDF2KeyImpl(ks, prfAlgo);`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`/**`
`@@ -89,12 +89,10 @@ protected SecretKey engineGenerateSecret(KeySpec keySpec)`
`89`	`89`	`*/`
`90`	`90`	`protected KeySpec engineGetKeySpec(SecretKey key, Class<?> keySpecCl)`
`91`	`91`	`throws InvalidKeySpecException {`
`92`		`- if (key instanceof javax.crypto.interfaces.PBEKey) {`
	`92`	`+ if (key instanceof javax.crypto.interfaces.PBEKey pKey) {`
`93`	`93`	`// Check if requested key spec is amongst the valid ones`
`94`	`94`	`if ((keySpecCl != null)`
`95`	`95`	`&& keySpecCl.isAssignableFrom(PBEKeySpec.class)) {`
`96`		`- javax.crypto.interfaces.PBEKey pKey =`
`97`		`- (javax.crypto.interfaces.PBEKey) key;`
`98`	`96`	`char[] passwd = pKey.getPassword();`
`99`	`97`	`byte[] encoded = pKey.getEncoded();`
`100`	`98`	`try {`
`@@ -107,11 +105,11 @@ protected KeySpec engineGetKeySpec(SecretKey key, Class<?> keySpecCl)`
`107`	`105`	`Arrays.fill(encoded, (byte)0);`
`108`	`106`	`}`
`109`	`107`	`} else {`
`110`		`- throw new InvalidKeySpecException("Invalid key spec");`
	`108`	`+ throw new InvalidKeySpecException`
	`109`	`+ ("Only PBEKeySpec is accepted");`
`111`	`110`	`}`
`112`	`111`	`} else {`
`113`		`- throw new InvalidKeySpecException("Invalid key " +`
`114`		`- "format/algorithm");`
	`112`	`+ throw new InvalidKeySpecException("Only PBEKey is accepted");`
`115`	`113`	`}`
`116`	`114`	`}`
`117`	`115`
`@@ -138,9 +136,7 @@ protected SecretKey engineTranslateKey(SecretKey key)`
`138`	`136`	`return key;`
`139`	`137`	`}`
`140`	`138`	`// Check if key implements the PBEKey`
`141`		`- if (key instanceof javax.crypto.interfaces.PBEKey) {`
`142`		`- javax.crypto.interfaces.PBEKey pKey =`
`143`		`- (javax.crypto.interfaces.PBEKey) key;`
	`139`	`+ if (key instanceof javax.crypto.interfaces.PBEKey pKey) {`
`144`	`140`	`char[] password = pKey.getPassword();`
`145`	`141`	`byte[] encoding = pKey.getEncoded();`
`146`	`142`	`PBEKeySpec spec =`
`@@ -160,9 +156,12 @@ protected SecretKey engineTranslateKey(SecretKey key)`
`160`	`156`	`}`
`161`	`157`	`Arrays.fill(encoding, (byte)0);`
`162`	`158`	`}`
	`159`	`+ } else {`
	`160`	`+ throw new InvalidKeyException("Only PBEKey is accepted");`
`163`	`161`	`}`
`164`	`162`	`}`
`165`		`- throw new InvalidKeyException("Invalid key format/algorithm");`
	`163`	`+ throw new InvalidKeyException("Only PBKDF2With" + prfAlgo +`
	`164`	`+ " key with RAW format is accepted");`
`166`	`165`	`}`
`167`	`166`
`168`	`167`	`public static final class HmacSHA1 extends PBKDF2Core {`