Tree - rpms/java-1.8.0-openjdk

rpms / java-1.8.0-openjdk

Blame SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch

Blob History Raw

		bd1ea0	`commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99`
		bd1ea0	`Author: Alexey Bakhtin <abakhtin@openjdk.org>`
		bd1ea0	`Date: Tue Apr 4 10:29:11 2023 +0000`
		bd1ea0
		bd1ea0	`8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key`
		bd1ea0
		bd1ea0	`Reviewed-by: andrew, mbalao`
		bd1ea0	`Backport-of: f6232982b91cb2314e96ddbde3984836a810a556`
		bd1ea0
		bd1ea0	`diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java`
		bd1ea0	`index a79e97d7c74..5378446b97b 100644`
		bd1ea0	`--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java`
		bd1ea0	`+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java`
		bd1ea0	`@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {`
		bd1ea0	`@Override`
		bd1ea0	`protected void engineInitVerify(PublicKey publicKey)`
		bd1ea0	`throws InvalidKeyException {`
		bd1ea0	`- if (!(publicKey instanceof RSAPublicKey)) {`
		bd1ea0	`+ if (publicKey instanceof RSAPublicKey) {`
		bd1ea0	`+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;`
		bd1ea0	`+ isPublicKeyValid(rsaPubKey);`
		bd1ea0	`+ this.pubKey = rsaPubKey;`
		bd1ea0	`+ this.privKey = null;`
		bd1ea0	`+ resetDigest();`
		bd1ea0	`+ } else {`
		bd1ea0	`throw new InvalidKeyException("key must be RSAPublicKey");`
		bd1ea0	`}`
		bd1ea0	`- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);`
		bd1ea0	`- this.privKey = null;`
		bd1ea0	`- resetDigest();`
		bd1ea0	`}`
		bd1ea0
		bd1ea0	`// initialize for signing. See JCA doc`
		bd1ea0	`@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {`
		bd1ea0	`@Override`
		bd1ea0	`protected void engineInitSign(PrivateKey privateKey, SecureRandom random)`
		bd1ea0	`throws InvalidKeyException {`
		bd1ea0	`- if (!(privateKey instanceof RSAPrivateKey)) {`
		bd1ea0	`+ if (privateKey instanceof RSAPrivateKey) {`
		bd1ea0	`+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;`
		bd1ea0	`+ isPrivateKeyValid(rsaPrivateKey);`
		bd1ea0	`+ this.privKey = rsaPrivateKey;`
		bd1ea0	`+ this.pubKey = null;`
		bd1ea0	`+ this.random =`
		bd1ea0	`+ (random == null ? JCAUtil.getSecureRandom() : random);`
		bd1ea0	`+ resetDigest();`
		bd1ea0	`+ } else {`
		bd1ea0	`throw new InvalidKeyException("key must be RSAPrivateKey");`
		bd1ea0	`}`
		bd1ea0	`- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);`
		bd1ea0	`- this.pubKey = null;`
		bd1ea0	`- this.random =`
		bd1ea0	`- (random == null? JCAUtil.getSecureRandom() : random);`
		bd1ea0	`- resetDigest();`
		bd1ea0	`}`
		bd1ea0
		bd1ea0	`/**`
		bd1ea0	`@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {`
		bd1ea0	`}`
		bd1ea0	`}`
		bd1ea0
		bd1ea0	`+ /**`
		bd1ea0	`+ * Validate the specified RSAPrivateKey`
		bd1ea0	`+ */`
		bd1ea0	`+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException {`
		bd1ea0	`+ try {`
		bd1ea0	`+ if (prKey instanceof RSAPrivateCrtKey) {`
		bd1ea0	`+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;`
		bd1ea0	`+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {`
		bd1ea0	`+ RSAKeyFactory.checkRSAProviderKeyLengths(`
		bd1ea0	`+ crtKey.getModulus().bitLength(),`
		bd1ea0	`+ crtKey.getPublicExponent());`
		bd1ea0	`+ } else {`
		bd1ea0	`+ throw new InvalidKeyException(`
		bd1ea0	`+ "Some of the CRT-specific components are not available");`
		bd1ea0	`+ }`
		bd1ea0	`+ } else {`
		bd1ea0	`+ RSAKeyFactory.checkRSAProviderKeyLengths(`
		bd1ea0	`+ prKey.getModulus().bitLength(),`
		bd1ea0	`+ null);`
		bd1ea0	`+ }`
		bd1ea0	`+ } catch (InvalidKeyException ikEx) {`
		bd1ea0	`+ throw ikEx;`
		bd1ea0	`+ } catch (Exception e) {`
		bd1ea0	`+ throw new InvalidKeyException(`
		bd1ea0	`+ "Can not access private key components", e);`
		bd1ea0	`+ }`
		bd1ea0	`+ isValid(prKey);`
		bd1ea0	`+ }`
		bd1ea0	`+`
		bd1ea0	`+ /**`
		bd1ea0	`+ * Validate the specified RSAPublicKey`
		bd1ea0	`+ */`
		bd1ea0	`+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException {`
		bd1ea0	`+ try {`
		bd1ea0	`+ RSAKeyFactory.checkRSAProviderKeyLengths(`
		bd1ea0	`+ pKey.getModulus().bitLength(),`
		bd1ea0	`+ pKey.getPublicExponent());`
		bd1ea0	`+ } catch (InvalidKeyException ikEx) {`
		bd1ea0	`+ throw ikEx;`
		bd1ea0	`+ } catch (Exception e) {`
		bd1ea0	`+ throw new InvalidKeyException(`
		bd1ea0	`+ "Can not access public key components", e);`
		bd1ea0	`+ }`
		bd1ea0	`+ isValid(pKey);`
		bd1ea0	`+ }`
		bd1ea0	`+`
		bd1ea0	`/**`
		bd1ea0	`* Validate the specified RSAKey and its associated parameters against`
		bd1ea0	`* internal signature parameters.`
		bd1ea0	`*/`
		bd1ea0	`- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {`
		bd1ea0	`+ private void isValid(RSAKey rsaKey) throws InvalidKeyException {`
		bd1ea0	`try {`
		bd1ea0	`AlgorithmParameterSpec keyParams = rsaKey.getParams();`
		bd1ea0	`// validate key parameters`
		bd1ea0	`@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {`
		bd1ea0	`}`
		bd1ea0	`checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());`
		bd1ea0	`}`
		bd1ea0	`- return rsaKey;`
		bd1ea0	`} catch (SignatureException e) {`
		bd1ea0	`throw new InvalidKeyException(e);`
		bd1ea0	`}`
		bd1ea0	`diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java`
		bd1ea0	`index 6b219937981..b3c1fae9672 100644`
		bd1ea0	`--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java`
		bd1ea0	`+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java`
		bd1ea0	`@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl`
		bd1ea0	`RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);`
		bd1ea0	`// check all CRT-specific components are available, if any one`
		bd1ea0	`// missing, return a non-CRT key instead`
		bd1ea0	`- if ((key.getPublicExponent().signum() == 0) \|\|`
		bd1ea0	`- (key.getPrimeExponentP().signum() == 0) \|\|`
		bd1ea0	`- (key.getPrimeExponentQ().signum() == 0) \|\|`
		bd1ea0	`- (key.getPrimeP().signum() == 0) \|\|`
		bd1ea0	`- (key.getPrimeQ().signum() == 0) \|\|`
		bd1ea0	`- (key.getCrtCoefficient().signum() == 0)) {`
		bd1ea0	`+ if (checkComponents(key)) {`
		bd1ea0	`+ return key;`
		bd1ea0	`+ } else {`
		bd1ea0	`return new RSAPrivateKeyImpl(`
		bd1ea0	`key.algid,`
		bd1ea0	`key.getModulus(),`
		bd1ea0	`- key.getPrivateExponent()`
		bd1ea0	`- );`
		bd1ea0	`- } else {`
		bd1ea0	`- return key;`
		bd1ea0	`+ key.getPrivateExponent());`
		bd1ea0	`}`
		bd1ea0	`}`
		bd1ea0
		bd1ea0	`+ /**`
		bd1ea0	`+ * Validate if all CRT-specific components are available.`
		bd1ea0	`+ */`
		bd1ea0	`+ static boolean checkComponents(RSAPrivateCrtKey key) {`
		bd1ea0	`+ return !((key.getPublicExponent().signum() == 0) \|\|`
		bd1ea0	`+ (key.getPrimeExponentP().signum() == 0) \|\|`
		bd1ea0	`+ (key.getPrimeExponentQ().signum() == 0) \|\|`
		bd1ea0	`+ (key.getPrimeP().signum() == 0) \|\|`
		bd1ea0	`+ (key.getPrimeQ().signum() == 0) \|\|`
		bd1ea0	`+ (key.getCrtCoefficient().signum() == 0));`
		bd1ea0	`+ }`
		bd1ea0	`+`
		bd1ea0	`/**`
		bd1ea0	`* Generate a new key from the specified type and components.`
		bd1ea0	`* Returns a CRT key if possible and a non-CRT key otherwise.`

rpms / java-1.8.0-openjdk

Source Code

Blame SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch