Skip to content
Permalink
Browse files
8264849: Add KW and KWP support to PKCS11 provider
Reviewed-by: ascarpino
  • Loading branch information
Valerie Peng committed Oct 19, 2021
1 parent bd2b41d commit e63c1486dc00ee64dea1a76b5a44e34f06eb144f
Show file tree
Hide file tree
Showing 17 changed files with 2,089 additions and 99 deletions.
@@ -39,7 +39,7 @@
import sun.security.jca.JCAUtil;
import sun.security.pkcs11.wrapper.*;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;

/**
* P11 AEAD Cipher implementation class. This class currently supports
@@ -393,7 +393,7 @@ private void implInit(int opmode, Key key, byte[] iv, int tagLen,
try {
initialize();
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_MECHANISM_PARAM_INVALID) {
if (e.match(CKR_MECHANISM_PARAM_INVALID)) {
throw new InvalidAlgorithmParameterException("Bad params", e);
}
throw new InvalidKeyException("Could not initialize cipher", e);
@@ -416,7 +416,7 @@ private void cancelOperation() {
0, buffer, 0, bufLen);
}
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_OPERATION_NOT_INITIALIZED) {
if (e.match(CKR_OPERATION_NOT_INITIALIZED)) {
// Cancel Operation may be invoked after an error on a PKCS#11
// call. If the operation inside the token was already cancelled,
// do not fail here. This is part of a defensive mechanism for
@@ -812,17 +812,16 @@ private int implDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer)
private void handleException(PKCS11Exception e)
throws ShortBufferException, IllegalBlockSizeException,
BadPaddingException {
long errorCode = e.getErrorCode();
if (errorCode == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
} else if (errorCode == CKR_DATA_LEN_RANGE ||
errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) {
} else if (e.match(CKR_DATA_LEN_RANGE) ||
e.match(CKR_ENCRYPTED_DATA_LEN_RANGE)) {
throw (IllegalBlockSizeException)
(new IllegalBlockSizeException(e.toString()).initCause(e));
} else if (errorCode == CKR_ENCRYPTED_DATA_INVALID ||
// Solaris-specific
errorCode == CKR_GENERAL_ERROR) {
} else if (e.match(CKR_ENCRYPTED_DATA_INVALID) ||
e.match(CKR_GENERAL_ERROR)) {
// CKR_GENERAL_ERROR is Solaris-specific workaround
throw (AEADBadTagException)
(new AEADBadTagException(e.toString()).initCause(e));
}
@@ -38,7 +38,7 @@
import sun.security.jca.JCAUtil;
import sun.security.pkcs11.wrapper.*;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;

/**
* Cipher implementation class. This class currently supports
@@ -456,7 +456,7 @@ private void cancelOperation() {
token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
}
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_OPERATION_NOT_INITIALIZED) {
if (e.match(CKR_OPERATION_NOT_INITIALIZED)) {
// Cancel Operation may be invoked after an error on a PKCS#11
// call. If the operation inside the token was already cancelled,
// do not fail here. This is part of a defensive mechanism for
@@ -656,7 +656,7 @@ private int implUpdate(byte[] in, int inOfs, int inLen,
bytesBuffered += (inLen - k);
return k;
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
}
@@ -780,7 +780,7 @@ private int implUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer)
} catch (PKCS11Exception e) {
// Reset input buffer to its original position for
inBuffer.position(origPos);
if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
}
@@ -962,12 +962,11 @@ private int implDoFinal(ByteBuffer outBuffer)

private void handleException(PKCS11Exception e)
throws ShortBufferException, IllegalBlockSizeException {
long errorCode = e.getErrorCode();
if (errorCode == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
} else if (errorCode == CKR_DATA_LEN_RANGE ||
errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) {
} else if (e.match(CKR_DATA_LEN_RANGE) ||
e.match(CKR_ENCRYPTED_DATA_LEN_RANGE)) {
throw (IllegalBlockSizeException)
(new IllegalBlockSizeException(e.toString()).initCause(e));
}
@@ -27,8 +27,12 @@

import java.security.*;
import java.security.spec.*;

import java.util.Map;
import java.util.HashMap;
import java.util.Locale;
import sun.security.pkcs11.wrapper.PKCS11Exception;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;


/**
* KeyFactory base class. Provides common infrastructure for the RSA, DSA,
@@ -55,6 +59,28 @@ abstract class P11KeyFactory extends KeyFactorySpi {
this.algorithm = algorithm;
}

private static final Map<String,Long> keyTypes;

static {
keyTypes = new HashMap<String,Long>();
addKeyType("RSA", CKK_RSA);
addKeyType("DSA", CKK_DSA);
addKeyType("DH", CKK_DH);
addKeyType("EC", CKK_EC);
}

private static void addKeyType(String name, long id) {
Long l = Long.valueOf(id);
keyTypes.put(name, l);
keyTypes.put(name.toUpperCase(Locale.ENGLISH), l);
}

// returns the PKCS11 key type of the specified algorithm
static long getPKCS11KeyType(String algorithm) {
Long kt = keyTypes.get(algorithm);
return (kt != null) ? kt.longValue() : -1;
}

/**
* Convert an arbitrary key of algorithm into a P11Key of token.
* Used by P11Signature.init() and RSACipher.init().
@@ -73,7 +73,7 @@

import sun.security.pkcs11.wrapper.*;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;

import sun.security.rsa.RSAKeyFactory;

@@ -757,7 +757,7 @@ public synchronized void engineLoad(InputStream stream, char[] password)
Throwable cause = e.getCause();
if (cause instanceof PKCS11Exception) {
PKCS11Exception pe = (PKCS11Exception) cause;
if (pe.getErrorCode() == CKR_PIN_INCORRECT) {
if (pe.match(CKR_PIN_INCORRECT)) {
// if password is wrong, the cause of the IOException
// should be an UnrecoverableKeyException
throw new IOException("load failed",
@@ -2330,7 +2330,7 @@ private boolean mapLabels() throws
cka_label = new String(attrs[0].getCharArray());
}
} catch (PKCS11Exception pe) {
if (pe.getErrorCode() != CKR_ATTRIBUTE_TYPE_INVALID) {
if (!pe.match(CKR_ATTRIBUTE_TYPE_INVALID)) {
throw pe;
}

@@ -2371,7 +2371,7 @@ private boolean mapLabels() throws
(session.id(), handle, trustedAttr);
cka_trusted = trustedAttr[0].getBoolean();
} catch (PKCS11Exception pe) {
if (pe.getErrorCode() == CKR_ATTRIBUTE_TYPE_INVALID) {
if (pe.match(CKR_ATTRIBUTE_TYPE_INVALID)) {
// XXX NSS, ibutton, sca1000
CKA_TRUSTED_SUPPORTED = false;
if (debug != null) {

1 comment on commit e63c148

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on e63c148 Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.