Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
8264849: Add KW and KWP support to PKCS11 provider
Reviewed-by: ascarpino
  • Loading branch information
Valerie Peng committed Oct 19, 2021
1 parent bd2b41d commit e63c148
Show file tree
Hide file tree
Showing 17 changed files with 2,089 additions and 99 deletions.
Expand Up @@ -39,7 +39,7 @@
import sun.security.jca.JCAUtil;
import sun.security.pkcs11.wrapper.*;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;

/**
* P11 AEAD Cipher implementation class. This class currently supports
Expand Down Expand Up @@ -393,7 +393,7 @@ private void implInit(int opmode, Key key, byte[] iv, int tagLen,
try {
initialize();
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_MECHANISM_PARAM_INVALID) {
if (e.match(CKR_MECHANISM_PARAM_INVALID)) {
throw new InvalidAlgorithmParameterException("Bad params", e);
}
throw new InvalidKeyException("Could not initialize cipher", e);
Expand All @@ -416,7 +416,7 @@ private void cancelOperation() {
0, buffer, 0, bufLen);
}
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_OPERATION_NOT_INITIALIZED) {
if (e.match(CKR_OPERATION_NOT_INITIALIZED)) {
// Cancel Operation may be invoked after an error on a PKCS#11
// call. If the operation inside the token was already cancelled,
// do not fail here. This is part of a defensive mechanism for
Expand Down Expand Up @@ -812,17 +812,16 @@ private int implDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer)
private void handleException(PKCS11Exception e)
throws ShortBufferException, IllegalBlockSizeException,
BadPaddingException {
long errorCode = e.getErrorCode();
if (errorCode == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
} else if (errorCode == CKR_DATA_LEN_RANGE ||
errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) {
} else if (e.match(CKR_DATA_LEN_RANGE) ||
e.match(CKR_ENCRYPTED_DATA_LEN_RANGE)) {
throw (IllegalBlockSizeException)
(new IllegalBlockSizeException(e.toString()).initCause(e));
} else if (errorCode == CKR_ENCRYPTED_DATA_INVALID ||
// Solaris-specific
errorCode == CKR_GENERAL_ERROR) {
} else if (e.match(CKR_ENCRYPTED_DATA_INVALID) ||
e.match(CKR_GENERAL_ERROR)) {
// CKR_GENERAL_ERROR is Solaris-specific workaround
throw (AEADBadTagException)
(new AEADBadTagException(e.toString()).initCause(e));
}
Expand Down
Expand Up @@ -38,7 +38,7 @@
import sun.security.jca.JCAUtil;
import sun.security.pkcs11.wrapper.*;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;

/**
* Cipher implementation class. This class currently supports
Expand Down Expand Up @@ -456,7 +456,7 @@ private void cancelOperation() {
token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
}
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_OPERATION_NOT_INITIALIZED) {
if (e.match(CKR_OPERATION_NOT_INITIALIZED)) {
// Cancel Operation may be invoked after an error on a PKCS#11
// call. If the operation inside the token was already cancelled,
// do not fail here. This is part of a defensive mechanism for
Expand Down Expand Up @@ -656,7 +656,7 @@ private int implUpdate(byte[] in, int inOfs, int inLen,
bytesBuffered += (inLen - k);
return k;
} catch (PKCS11Exception e) {
if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
}
Expand Down Expand Up @@ -780,7 +780,7 @@ private int implUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer)
} catch (PKCS11Exception e) {
// Reset input buffer to its original position for
inBuffer.position(origPos);
if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
}
Expand Down Expand Up @@ -962,12 +962,11 @@ private int implDoFinal(ByteBuffer outBuffer)

private void handleException(PKCS11Exception e)
throws ShortBufferException, IllegalBlockSizeException {
long errorCode = e.getErrorCode();
if (errorCode == CKR_BUFFER_TOO_SMALL) {
if (e.match(CKR_BUFFER_TOO_SMALL)) {
throw (ShortBufferException)
(new ShortBufferException().initCause(e));
} else if (errorCode == CKR_DATA_LEN_RANGE ||
errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) {
} else if (e.match(CKR_DATA_LEN_RANGE) ||
e.match(CKR_ENCRYPTED_DATA_LEN_RANGE)) {
throw (IllegalBlockSizeException)
(new IllegalBlockSizeException(e.toString()).initCause(e));
}
Expand Down
Expand Up @@ -27,8 +27,12 @@

import java.security.*;
import java.security.spec.*;

import java.util.Map;
import java.util.HashMap;
import java.util.Locale;
import sun.security.pkcs11.wrapper.PKCS11Exception;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;


/**
* KeyFactory base class. Provides common infrastructure for the RSA, DSA,
Expand All @@ -55,6 +59,28 @@ abstract class P11KeyFactory extends KeyFactorySpi {
this.algorithm = algorithm;
}

private static final Map<String,Long> keyTypes;

static {
keyTypes = new HashMap<String,Long>();
addKeyType("RSA", CKK_RSA);
addKeyType("DSA", CKK_DSA);
addKeyType("DH", CKK_DH);
addKeyType("EC", CKK_EC);
}

private static void addKeyType(String name, long id) {
Long l = Long.valueOf(id);
keyTypes.put(name, l);
keyTypes.put(name.toUpperCase(Locale.ENGLISH), l);
}

// returns the PKCS11 key type of the specified algorithm
static long getPKCS11KeyType(String algorithm) {
Long kt = keyTypes.get(algorithm);
return (kt != null) ? kt.longValue() : -1;
}

/**
* Convert an arbitrary key of algorithm into a P11Key of token.
* Used by P11Signature.init() and RSACipher.init().
Expand Down
Expand Up @@ -73,7 +73,7 @@

import sun.security.pkcs11.wrapper.*;
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;

import sun.security.rsa.RSAKeyFactory;

Expand Down Expand Up @@ -757,7 +757,7 @@ public synchronized void engineLoad(InputStream stream, char[] password)
Throwable cause = e.getCause();
if (cause instanceof PKCS11Exception) {
PKCS11Exception pe = (PKCS11Exception) cause;
if (pe.getErrorCode() == CKR_PIN_INCORRECT) {
if (pe.match(CKR_PIN_INCORRECT)) {
// if password is wrong, the cause of the IOException
// should be an UnrecoverableKeyException
throw new IOException("load failed",
Expand Down Expand Up @@ -2330,7 +2330,7 @@ private boolean mapLabels() throws
cka_label = new String(attrs[0].getCharArray());
}
} catch (PKCS11Exception pe) {
if (pe.getErrorCode() != CKR_ATTRIBUTE_TYPE_INVALID) {
if (!pe.match(CKR_ATTRIBUTE_TYPE_INVALID)) {
throw pe;
}

Expand Down Expand Up @@ -2371,7 +2371,7 @@ private boolean mapLabels() throws
(session.id(), handle, trustedAttr);
cka_trusted = trustedAttr[0].getBoolean();
} catch (PKCS11Exception pe) {
if (pe.getErrorCode() == CKR_ATTRIBUTE_TYPE_INVALID) {
if (pe.match(CKR_ATTRIBUTE_TYPE_INVALID)) {
// XXX NSS, ibutton, sca1000
CKA_TRUSTED_SUPPORTED = false;
if (debug != null) {
Expand Down

1 comment on commit e63c148

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.