Blame SOURCES/pr3393-rh1273760-support_rsaandmgf1_with_sha_in_pkcs11.patch

dad9bb
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
dad9bb
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
3c4066
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
3c4066
@@ -87,8 +87,8 @@
3c4066
     // name of the key algorithm, currently either RSA or DSA
3c4066
     private final String keyAlgorithm;
3c4066
 
3c4066
-    // mechanism id
3c4066
-    private final long mechanism;
3c4066
+    // mechanism
3c4066
+    private final CK_MECHANISM mechanism;
3c4066
 
3c4066
     // digest algorithm OID, if we encode RSA signature ourselves
3c4066
     private final ObjectIdentifier digestOID;
3c4066
@@ -138,11 +138,62 @@
3c4066
         super();
3c4066
         this.token = token;
3c4066
         this.algorithm = algorithm;
3c4066
-        this.mechanism = mechanism;
3c4066
+        CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism);
3c4066
+        final CK_RSA_PKCS_PSS_PARAMS mechParams;
3c4066
         byte[] buffer = null;
3c4066
         ObjectIdentifier digestOID = null;
3c4066
         MessageDigest md = null;
3c4066
         switch ((int)mechanism) {
3c4066
+        case (int)CKM_SHA1_RSA_PKCS_PSS:
3c4066
+            mechParams = new CK_RSA_PKCS_PSS_PARAMS();
3c4066
+            mechParams.hashAlg = CKM_SHA_1;
3c4066
+            mechParams.mgf = CKG_MGF1_SHA1;
3c4066
+            mechParams.sLen = 20;
3c4066
+            ckMechanism = new CK_MECHANISM(mechanism, mechParams);
3c4066
+            this.keyAlgorithm = "RSA";
3c4066
+            this.type = T_UPDATE;
3c4066
+            buffer = new byte[1];
3c4066
+            break;
3c4066
+        case (int)CKM_SHA224_RSA_PKCS_PSS:
3c4066
+            mechParams = new CK_RSA_PKCS_PSS_PARAMS();
3c4066
+            mechParams.hashAlg = CKM_SHA224;
3c4066
+            mechParams.mgf = CKG_MGF1_SHA224;
3c4066
+            mechParams.sLen = 28;
3c4066
+            ckMechanism = new CK_MECHANISM(mechanism, mechParams);
3c4066
+            this.keyAlgorithm = "RSA";
3c4066
+            this.type = T_UPDATE;
3c4066
+            buffer = new byte[1];
3c4066
+            break;
3c4066
+        case (int)CKM_SHA256_RSA_PKCS_PSS:
3c4066
+            mechParams = new CK_RSA_PKCS_PSS_PARAMS();
3c4066
+            mechParams.hashAlg = CKM_SHA256;
3c4066
+            mechParams.mgf = CKG_MGF1_SHA256;
3c4066
+            mechParams.sLen = 32;
3c4066
+            ckMechanism = new CK_MECHANISM(mechanism, mechParams);
3c4066
+            this.keyAlgorithm = "RSA";
3c4066
+            this.type = T_UPDATE;
3c4066
+            buffer = new byte[1];
3c4066
+            break;
3c4066
+        case (int)CKM_SHA384_RSA_PKCS_PSS:
3c4066
+            mechParams = new CK_RSA_PKCS_PSS_PARAMS();
3c4066
+            mechParams.hashAlg = CKM_SHA384;
3c4066
+            mechParams.mgf = CKG_MGF1_SHA384;
3c4066
+            mechParams.sLen = 48;
3c4066
+            ckMechanism = new CK_MECHANISM(mechanism, mechParams);
3c4066
+            this.keyAlgorithm = "RSA";
3c4066
+            this.type = T_UPDATE;
3c4066
+            buffer = new byte[1];
3c4066
+            break;
3c4066
+        case (int)CKM_SHA512_RSA_PKCS_PSS:
3c4066
+            mechParams = new CK_RSA_PKCS_PSS_PARAMS();
3c4066
+            mechParams.hashAlg = CKM_SHA512;
3c4066
+            mechParams.mgf = CKG_MGF1_SHA512;
3c4066
+            mechParams.sLen = 64;
3c4066
+            ckMechanism = new CK_MECHANISM(mechanism, mechParams);
3c4066
+            this.keyAlgorithm = "RSA";
3c4066
+            this.type = T_UPDATE;
3c4066
+            buffer = new byte[1];
3c4066
+            break;
3c4066
         case (int)CKM_MD2_RSA_PKCS:
3c4066
         case (int)CKM_MD5_RSA_PKCS:
3c4066
         case (int)CKM_SHA1_RSA_PKCS:
3c4066
@@ -232,6 +283,7 @@
3c4066
         default:
3c4066
             throw new ProviderException("Unknown mechanism: " + mechanism);
3c4066
         }
3c4066
+        this.mechanism = ckMechanism;
3c4066
         this.buffer = buffer;
3c4066
         this.digestOID = digestOID;
3c4066
         this.md = md;
dad9bb
@@ -314,10 +366,10 @@
3c4066
             }
3c4066
             if (mode == M_SIGN) {
3c4066
                 token.p11.C_SignInit(session.id(),
3c4066
-                        new CK_MECHANISM(mechanism), p11Key.keyID);
3c4066
+                        mechanism, p11Key.keyID);
3c4066
             } else {
3c4066
                 token.p11.C_VerifyInit(session.id(),
3c4066
-                        new CK_MECHANISM(mechanism), p11Key.keyID);
3c4066
+                        mechanism, p11Key.keyID);
3c4066
             }
3c4066
             initialized = true;
3c4066
         } catch (PKCS11Exception e) {
dad9bb
@@ -399,7 +451,8 @@
3c4066
         } else if (algorithm.equals("SHA512withRSA")) {
3c4066
             encodedLength = 83;
3c4066
         } else {
3c4066
-            throw new ProviderException("Unknown signature algo: " + algorithm);
3c4066
+            encodedLength = 0;
3c4066
+            //throw new ProviderException("Unknown signature algo: " + algorithm);
3c4066
         }
3c4066
         if (encodedLength > maxDataSize) {
3c4066
             throw new InvalidKeyException
dad9bb
@@ -568,7 +621,7 @@
3c4066
                 if (type == T_DIGEST) {
3c4066
                     digest = md.digest();
3c4066
                 } else { // T_RAW
3c4066
-                    if (mechanism == CKM_DSA) {
3c4066
+                    if (mechanism.mechanism == CKM_DSA) {
3c4066
                         if (bytesProcessed != buffer.length) {
3c4066
                             throw new SignatureException
3c4066
                             ("Data for RawDSA must be exactly 20 bytes long");
dad9bb
@@ -588,7 +641,7 @@
3c4066
                     signature = token.p11.C_Sign(session.id(), digest);
3c4066
                 } else { // RSA
3c4066
                     byte[] data = encodeSignature(digest);
3c4066
-                    if (mechanism == CKM_RSA_X_509) {
3c4066
+                    if (mechanism.mechanism == CKM_RSA_X_509) {
3c4066
                         data = pkcs1Pad(data);
3c4066
                     }
3c4066
                     signature = token.p11.C_Sign(session.id(), data);
dad9bb
@@ -623,7 +676,7 @@
3c4066
                 if (type == T_DIGEST) {
3c4066
                     digest = md.digest();
3c4066
                 } else { // T_RAW
3c4066
-                    if (mechanism == CKM_DSA) {
3c4066
+                    if (mechanism.mechanism == CKM_DSA) {
3c4066
                         if (bytesProcessed != buffer.length) {
3c4066
                             throw new SignatureException
3c4066
                             ("Data for RawDSA must be exactly 20 bytes long");
dad9bb
@@ -643,7 +696,7 @@
3c4066
                     token.p11.C_Verify(session.id(), digest, signature);
3c4066
                 } else { // RSA
3c4066
                     byte[] data = encodeSignature(digest);
3c4066
-                    if (mechanism == CKM_RSA_X_509) {
3c4066
+                    if (mechanism.mechanism == CKM_RSA_X_509) {
3c4066
                         data = pkcs1Pad(data);
3c4066
                     }
3c4066
                     token.p11.C_Verify(session.id(), data, signature);
dad9bb
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
dad9bb
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
3c4066
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
3c4066
@@ -729,6 +729,16 @@
3c4066
         d(SIG, "SHA512withRSA", P11Signature,
3c4066
                 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
3c4066
                 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
3c4066
+        d(SIG, "SHA1withRSAandMGF1", P11Signature,
3c4066
+                m(CKM_SHA1_RSA_PKCS_PSS));
3c4066
+        d(SIG, "SHA224withRSAandMGF1", P11Signature,
3c4066
+                m(CKM_SHA224_RSA_PKCS_PSS));
3c4066
+        d(SIG, "SHA256withRSAandMGF1", P11Signature,
3c4066
+                m(CKM_SHA256_RSA_PKCS_PSS));
3c4066
+        d(SIG, "SHA384withRSAandMGF1", P11Signature,
3c4066
+                m(CKM_SHA384_RSA_PKCS_PSS));
3c4066
+        d(SIG, "SHA512withRSAandMGF1", P11Signature,
3c4066
+                m(CKM_SHA512_RSA_PKCS_PSS));
3c4066
 
dad9bb
         d(KG, "SunTlsRsaPremasterSecret",
dad9bb
                     "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
dad9bb
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Token.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Token.java
dad9bb
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Token.java
dad9bb
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Token.java
dad9bb
@@ -377,6 +377,10 @@
dad9bb
         return keyStore;
dad9bb
     }
dad9bb
 
dad9bb
+    CK_MECHANISM_INFO getMechanismInfo(CK_MECHANISM mechanism) throws PKCS11Exception {
dad9bb
+        return getMechanismInfo(mechanism.mechanism);
dad9bb
+    }
dad9bb
+
dad9bb
     CK_MECHANISM_INFO getMechanismInfo(long mechanism) throws PKCS11Exception {
dad9bb
         CK_MECHANISM_INFO result = mechInfoMap.get(mechanism);
dad9bb
         if (result == null) {
dad9bb
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
dad9bb
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
3c4066
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
dad9bb
@@ -116,6 +116,10 @@
3c4066
         init(mechanism, params);
3c4066
     }
3c4066
 
3c4066
+    public CK_MECHANISM(long mechanism, CK_RSA_PKCS_PSS_PARAMS params) {
3c4066
+        init(mechanism, params);
3c4066
+    }
3c4066
+
3c4066
     public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) {
3c4066
         init(mechanism, params);
3c4066
     }
dad9bb
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
dad9bb
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
3c4066
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
3c4066
@@ -458,6 +458,12 @@
3c4066
     public static final long  CKM_SHA384_RSA_PKCS            = 0x00000041L;
3c4066
     public static final long  CKM_SHA512_RSA_PKCS            = 0x00000042L;
3c4066
 
3c4066
+    // v2.30
3c4066
+    public static final long  CKM_SHA256_RSA_PKCS_PSS        = 0x00000043L;
3c4066
+    public static final long  CKM_SHA384_RSA_PKCS_PSS        = 0x00000044L;
3c4066
+    public static final long  CKM_SHA512_RSA_PKCS_PSS        = 0x00000045L;
3c4066
+
3c4066
+
3c4066
     public static final long  CKM_RC2_KEY_GEN                = 0x00000100L;
3c4066
     public static final long  CKM_RC2_ECB                    = 0x00000101L;
3c4066
     public static final long  CKM_RC2_CBC                    = 0x00000102L;
dad9bb
@@ -919,6 +925,10 @@
3c4066
 
3c4066
     /* The following MGFs are defined */
3c4066
     public static final long  CKG_MGF1_SHA1       =  0x00000001L;
3c4066
+    public static final long  CKG_MGF1_SHA256     =  0x00000002L;
3c4066
+    public static final long  CKG_MGF1_SHA384     =  0x00000003L;
3c4066
+    public static final long  CKG_MGF1_SHA512     =  0x00000004L;
3c4066
+
3c4066
     // new for v2.20 amendment 3
3c4066
     public static final long  CKG_MGF1_SHA224     = 0x00000005L;
3c4066