|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
60df80 |
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
60df80 |
@@ -87,8 +87,8 @@
|
|
|
60df80 |
// name of the key algorithm, currently either RSA or DSA
|
|
|
60df80 |
private final String keyAlgorithm;
|
|
|
60df80 |
|
|
|
60df80 |
- // mechanism id
|
|
|
60df80 |
- private final long mechanism;
|
|
|
60df80 |
+ // mechanism
|
|
|
60df80 |
+ private final CK_MECHANISM mechanism;
|
|
|
60df80 |
|
|
|
60df80 |
// digest algorithm OID, if we encode RSA signature ourselves
|
|
|
60df80 |
private final ObjectIdentifier digestOID;
|
|
|
60df80 |
@@ -138,11 +138,62 @@
|
|
|
60df80 |
super();
|
|
|
60df80 |
this.token = token;
|
|
|
60df80 |
this.algorithm = algorithm;
|
|
|
60df80 |
- this.mechanism = mechanism;
|
|
|
60df80 |
+ CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism);
|
|
|
60df80 |
+ final CK_RSA_PKCS_PSS_PARAMS mechParams;
|
|
|
60df80 |
byte[] buffer = null;
|
|
|
60df80 |
ObjectIdentifier digestOID = null;
|
|
|
60df80 |
MessageDigest md = null;
|
|
|
60df80 |
switch ((int)mechanism) {
|
|
|
60df80 |
+ case (int)CKM_SHA1_RSA_PKCS_PSS:
|
|
|
60df80 |
+ mechParams = new CK_RSA_PKCS_PSS_PARAMS();
|
|
|
60df80 |
+ mechParams.hashAlg = CKM_SHA_1;
|
|
|
60df80 |
+ mechParams.mgf = CKG_MGF1_SHA1;
|
|
|
60df80 |
+ mechParams.sLen = 20;
|
|
|
60df80 |
+ ckMechanism = new CK_MECHANISM(mechanism, mechParams);
|
|
|
60df80 |
+ this.keyAlgorithm = "RSA";
|
|
|
60df80 |
+ this.type = T_UPDATE;
|
|
|
60df80 |
+ buffer = new byte[1];
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
+ case (int)CKM_SHA224_RSA_PKCS_PSS:
|
|
|
60df80 |
+ mechParams = new CK_RSA_PKCS_PSS_PARAMS();
|
|
|
60df80 |
+ mechParams.hashAlg = CKM_SHA224;
|
|
|
60df80 |
+ mechParams.mgf = CKG_MGF1_SHA224;
|
|
|
60df80 |
+ mechParams.sLen = 28;
|
|
|
60df80 |
+ ckMechanism = new CK_MECHANISM(mechanism, mechParams);
|
|
|
60df80 |
+ this.keyAlgorithm = "RSA";
|
|
|
60df80 |
+ this.type = T_UPDATE;
|
|
|
60df80 |
+ buffer = new byte[1];
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
+ case (int)CKM_SHA256_RSA_PKCS_PSS:
|
|
|
60df80 |
+ mechParams = new CK_RSA_PKCS_PSS_PARAMS();
|
|
|
60df80 |
+ mechParams.hashAlg = CKM_SHA256;
|
|
|
60df80 |
+ mechParams.mgf = CKG_MGF1_SHA256;
|
|
|
60df80 |
+ mechParams.sLen = 32;
|
|
|
60df80 |
+ ckMechanism = new CK_MECHANISM(mechanism, mechParams);
|
|
|
60df80 |
+ this.keyAlgorithm = "RSA";
|
|
|
60df80 |
+ this.type = T_UPDATE;
|
|
|
60df80 |
+ buffer = new byte[1];
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
+ case (int)CKM_SHA384_RSA_PKCS_PSS:
|
|
|
60df80 |
+ mechParams = new CK_RSA_PKCS_PSS_PARAMS();
|
|
|
60df80 |
+ mechParams.hashAlg = CKM_SHA384;
|
|
|
60df80 |
+ mechParams.mgf = CKG_MGF1_SHA384;
|
|
|
60df80 |
+ mechParams.sLen = 48;
|
|
|
60df80 |
+ ckMechanism = new CK_MECHANISM(mechanism, mechParams);
|
|
|
60df80 |
+ this.keyAlgorithm = "RSA";
|
|
|
60df80 |
+ this.type = T_UPDATE;
|
|
|
60df80 |
+ buffer = new byte[1];
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
+ case (int)CKM_SHA512_RSA_PKCS_PSS:
|
|
|
60df80 |
+ mechParams = new CK_RSA_PKCS_PSS_PARAMS();
|
|
|
60df80 |
+ mechParams.hashAlg = CKM_SHA512;
|
|
|
60df80 |
+ mechParams.mgf = CKG_MGF1_SHA512;
|
|
|
60df80 |
+ mechParams.sLen = 64;
|
|
|
60df80 |
+ ckMechanism = new CK_MECHANISM(mechanism, mechParams);
|
|
|
60df80 |
+ this.keyAlgorithm = "RSA";
|
|
|
60df80 |
+ this.type = T_UPDATE;
|
|
|
60df80 |
+ buffer = new byte[1];
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
case (int)CKM_MD2_RSA_PKCS:
|
|
|
60df80 |
case (int)CKM_MD5_RSA_PKCS:
|
|
|
60df80 |
case (int)CKM_SHA1_RSA_PKCS:
|
|
|
60df80 |
@@ -232,6 +283,7 @@
|
|
|
60df80 |
default:
|
|
|
60df80 |
throw new ProviderException("Unknown mechanism: " + mechanism);
|
|
|
60df80 |
}
|
|
|
60df80 |
+ this.mechanism = ckMechanism;
|
|
|
60df80 |
this.buffer = buffer;
|
|
|
60df80 |
this.digestOID = digestOID;
|
|
|
60df80 |
this.md = md;
|
|
|
60df80 |
@@ -314,10 +366,10 @@
|
|
|
60df80 |
}
|
|
|
60df80 |
if (mode == M_SIGN) {
|
|
|
60df80 |
token.p11.C_SignInit(session.id(),
|
|
|
60df80 |
- new CK_MECHANISM(mechanism), p11Key.keyID);
|
|
|
60df80 |
+ mechanism, p11Key.keyID);
|
|
|
60df80 |
} else {
|
|
|
60df80 |
token.p11.C_VerifyInit(session.id(),
|
|
|
60df80 |
- new CK_MECHANISM(mechanism), p11Key.keyID);
|
|
|
60df80 |
+ mechanism, p11Key.keyID);
|
|
|
60df80 |
}
|
|
|
60df80 |
initialized = true;
|
|
|
60df80 |
} catch (PKCS11Exception e) {
|
|
|
60df80 |
@@ -399,7 +451,8 @@
|
|
|
60df80 |
} else if (algorithm.equals("SHA512withRSA")) {
|
|
|
60df80 |
encodedLength = 83;
|
|
|
60df80 |
} else {
|
|
|
60df80 |
- throw new ProviderException("Unknown signature algo: " + algorithm);
|
|
|
60df80 |
+ encodedLength = 0;
|
|
|
60df80 |
+ //throw new ProviderException("Unknown signature algo: " + algorithm);
|
|
|
60df80 |
}
|
|
|
60df80 |
if (encodedLength > maxDataSize) {
|
|
|
60df80 |
throw new InvalidKeyException
|
|
|
60df80 |
@@ -568,7 +621,7 @@
|
|
|
60df80 |
if (type == T_DIGEST) {
|
|
|
60df80 |
digest = md.digest();
|
|
|
60df80 |
} else { // T_RAW
|
|
|
60df80 |
- if (mechanism == CKM_DSA) {
|
|
|
60df80 |
+ if (mechanism.mechanism == CKM_DSA) {
|
|
|
60df80 |
if (bytesProcessed != buffer.length) {
|
|
|
60df80 |
throw new SignatureException
|
|
|
60df80 |
("Data for RawDSA must be exactly 20 bytes long");
|
|
|
60df80 |
@@ -588,7 +641,7 @@
|
|
|
60df80 |
signature = token.p11.C_Sign(session.id(), digest);
|
|
|
60df80 |
} else { // RSA
|
|
|
60df80 |
byte[] data = encodeSignature(digest);
|
|
|
60df80 |
- if (mechanism == CKM_RSA_X_509) {
|
|
|
60df80 |
+ if (mechanism.mechanism == CKM_RSA_X_509) {
|
|
|
60df80 |
data = pkcs1Pad(data);
|
|
|
60df80 |
}
|
|
|
60df80 |
signature = token.p11.C_Sign(session.id(), data);
|
|
|
60df80 |
@@ -623,7 +676,7 @@
|
|
|
60df80 |
if (type == T_DIGEST) {
|
|
|
60df80 |
digest = md.digest();
|
|
|
60df80 |
} else { // T_RAW
|
|
|
60df80 |
- if (mechanism == CKM_DSA) {
|
|
|
60df80 |
+ if (mechanism.mechanism == CKM_DSA) {
|
|
|
60df80 |
if (bytesProcessed != buffer.length) {
|
|
|
60df80 |
throw new SignatureException
|
|
|
60df80 |
("Data for RawDSA must be exactly 20 bytes long");
|
|
|
60df80 |
@@ -643,7 +696,7 @@
|
|
|
60df80 |
token.p11.C_Verify(session.id(), digest, signature);
|
|
|
60df80 |
} else { // RSA
|
|
|
60df80 |
byte[] data = encodeSignature(digest);
|
|
|
60df80 |
- if (mechanism == CKM_RSA_X_509) {
|
|
|
60df80 |
+ if (mechanism.mechanism == CKM_RSA_X_509) {
|
|
|
60df80 |
data = pkcs1Pad(data);
|
|
|
60df80 |
}
|
|
|
60df80 |
token.p11.C_Verify(session.id(), data, signature);
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
60df80 |
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
60df80 |
@@ -729,6 +729,16 @@
|
|
|
60df80 |
d(SIG, "SHA512withRSA", P11Signature,
|
|
|
60df80 |
s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
|
|
|
60df80 |
m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
|
|
|
60df80 |
+ d(SIG, "SHA1withRSAandMGF1", P11Signature,
|
|
|
60df80 |
+ m(CKM_SHA1_RSA_PKCS_PSS));
|
|
|
60df80 |
+ d(SIG, "SHA224withRSAandMGF1", P11Signature,
|
|
|
60df80 |
+ m(CKM_SHA224_RSA_PKCS_PSS));
|
|
|
60df80 |
+ d(SIG, "SHA256withRSAandMGF1", P11Signature,
|
|
|
60df80 |
+ m(CKM_SHA256_RSA_PKCS_PSS));
|
|
|
60df80 |
+ d(SIG, "SHA384withRSAandMGF1", P11Signature,
|
|
|
60df80 |
+ m(CKM_SHA384_RSA_PKCS_PSS));
|
|
|
60df80 |
+ d(SIG, "SHA512withRSAandMGF1", P11Signature,
|
|
|
60df80 |
+ m(CKM_SHA512_RSA_PKCS_PSS));
|
|
|
60df80 |
|
|
|
60df80 |
d(KG, "SunTlsRsaPremasterSecret",
|
|
|
60df80 |
"sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Token.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Token.java
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Token.java
|
|
|
60df80 |
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Token.java
|
|
|
60df80 |
@@ -377,6 +377,10 @@
|
|
|
60df80 |
return keyStore;
|
|
|
60df80 |
}
|
|
|
60df80 |
|
|
|
60df80 |
+ CK_MECHANISM_INFO getMechanismInfo(CK_MECHANISM mechanism) throws PKCS11Exception {
|
|
|
60df80 |
+ return getMechanismInfo(mechanism.mechanism);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
CK_MECHANISM_INFO getMechanismInfo(long mechanism) throws PKCS11Exception {
|
|
|
60df80 |
CK_MECHANISM_INFO result = mechInfoMap.get(mechanism);
|
|
|
60df80 |
if (result == null) {
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
|
|
|
60df80 |
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
|
|
|
60df80 |
@@ -116,6 +116,10 @@
|
|
|
60df80 |
init(mechanism, params);
|
|
|
60df80 |
}
|
|
|
60df80 |
|
|
|
60df80 |
+ public CK_MECHANISM(long mechanism, CK_RSA_PKCS_PSS_PARAMS params) {
|
|
|
60df80 |
+ init(mechanism, params);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) {
|
|
|
60df80 |
init(mechanism, params);
|
|
|
60df80 |
}
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
|
|
60df80 |
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
|
|
|
60df80 |
@@ -458,6 +458,12 @@
|
|
|
60df80 |
public static final long CKM_SHA384_RSA_PKCS = 0x00000041L;
|
|
|
60df80 |
public static final long CKM_SHA512_RSA_PKCS = 0x00000042L;
|
|
|
60df80 |
|
|
|
60df80 |
+ // v2.30
|
|
|
60df80 |
+ public static final long CKM_SHA256_RSA_PKCS_PSS = 0x00000043L;
|
|
|
60df80 |
+ public static final long CKM_SHA384_RSA_PKCS_PSS = 0x00000044L;
|
|
|
60df80 |
+ public static final long CKM_SHA512_RSA_PKCS_PSS = 0x00000045L;
|
|
|
60df80 |
+
|
|
|
60df80 |
+
|
|
|
60df80 |
public static final long CKM_RC2_KEY_GEN = 0x00000100L;
|
|
|
60df80 |
public static final long CKM_RC2_ECB = 0x00000101L;
|
|
|
60df80 |
public static final long CKM_RC2_CBC = 0x00000102L;
|
|
|
60df80 |
@@ -919,6 +925,10 @@
|
|
|
60df80 |
|
|
|
60df80 |
/* The following MGFs are defined */
|
|
|
60df80 |
public static final long CKG_MGF1_SHA1 = 0x00000001L;
|
|
|
60df80 |
+ public static final long CKG_MGF1_SHA256 = 0x00000002L;
|
|
|
60df80 |
+ public static final long CKG_MGF1_SHA384 = 0x00000003L;
|
|
|
60df80 |
+ public static final long CKG_MGF1_SHA512 = 0x00000004L;
|
|
|
60df80 |
+
|
|
|
60df80 |
// new for v2.20 amendment 3
|
|
|
60df80 |
public static final long CKG_MGF1_SHA224 = 0x00000005L;
|
|
|
60df80 |
|