Blame SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch

bd1ea0
commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
bd1ea0
Author: Alexey Bakhtin <abakhtin@openjdk.org>
bd1ea0
Date:   Tue Apr 4 10:29:11 2023 +0000
bd1ea0
bd1ea0
    8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
bd1ea0
    
bd1ea0
    Reviewed-by: andrew, mbalao
bd1ea0
    Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
bd1ea0
bd1ea0
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
bd1ea0
index a79e97d7c74..5378446b97b 100644
bd1ea0
--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
bd1ea0
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
bd1ea0
@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
bd1ea0
     @Override
bd1ea0
     protected void engineInitVerify(PublicKey publicKey)
bd1ea0
             throws InvalidKeyException {
bd1ea0
-        if (!(publicKey instanceof RSAPublicKey)) {
bd1ea0
+        if (publicKey instanceof RSAPublicKey) {
bd1ea0
+            RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
bd1ea0
+            isPublicKeyValid(rsaPubKey);
bd1ea0
+            this.pubKey = rsaPubKey;
bd1ea0
+            this.privKey = null;
bd1ea0
+            resetDigest();
bd1ea0
+        } else {
bd1ea0
             throw new InvalidKeyException("key must be RSAPublicKey");
bd1ea0
         }
bd1ea0
-        this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
bd1ea0
-        this.privKey = null;
bd1ea0
-        resetDigest();
bd1ea0
     }
bd1ea0
 
bd1ea0
     // initialize for signing. See JCA doc
bd1ea0
@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
bd1ea0
     @Override
bd1ea0
     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
bd1ea0
             throws InvalidKeyException {
bd1ea0
-        if (!(privateKey instanceof RSAPrivateKey)) {
bd1ea0
+        if (privateKey instanceof RSAPrivateKey) {
bd1ea0
+            RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
bd1ea0
+            isPrivateKeyValid(rsaPrivateKey);
bd1ea0
+            this.privKey = rsaPrivateKey;
bd1ea0
+            this.pubKey = null;
bd1ea0
+            this.random =
bd1ea0
+                    (random == null ? JCAUtil.getSecureRandom() : random);
bd1ea0
+            resetDigest();
bd1ea0
+        } else {
bd1ea0
             throw new InvalidKeyException("key must be RSAPrivateKey");
bd1ea0
         }
bd1ea0
-        this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
bd1ea0
-        this.pubKey = null;
bd1ea0
-        this.random =
bd1ea0
-            (random == null? JCAUtil.getSecureRandom() : random);
bd1ea0
-        resetDigest();
bd1ea0
     }
bd1ea0
 
bd1ea0
     /**
bd1ea0
@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
bd1ea0
         }
bd1ea0
     }
bd1ea0
 
bd1ea0
+    /**
bd1ea0
+     * Validate the specified RSAPrivateKey
bd1ea0
+     */
bd1ea0
+    private void isPrivateKeyValid(RSAPrivateKey prKey)  throws InvalidKeyException {
bd1ea0
+        try {
bd1ea0
+            if (prKey instanceof RSAPrivateCrtKey) {
bd1ea0
+                RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
bd1ea0
+                if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
bd1ea0
+                    RSAKeyFactory.checkRSAProviderKeyLengths(
bd1ea0
+                            crtKey.getModulus().bitLength(),
bd1ea0
+                            crtKey.getPublicExponent());
bd1ea0
+                } else {
bd1ea0
+                    throw new InvalidKeyException(
bd1ea0
+                            "Some of the CRT-specific components are not available");
bd1ea0
+                }
bd1ea0
+            } else {
bd1ea0
+                RSAKeyFactory.checkRSAProviderKeyLengths(
bd1ea0
+                        prKey.getModulus().bitLength(),
bd1ea0
+                        null);
bd1ea0
+            }
bd1ea0
+        } catch (InvalidKeyException ikEx) {
bd1ea0
+            throw ikEx;
bd1ea0
+        } catch (Exception e) {
bd1ea0
+            throw new InvalidKeyException(
bd1ea0
+                    "Can not access private key components", e);
bd1ea0
+        }
bd1ea0
+        isValid(prKey);
bd1ea0
+    }
bd1ea0
+
bd1ea0
+    /**
bd1ea0
+     * Validate the specified RSAPublicKey
bd1ea0
+     */
bd1ea0
+    private void isPublicKeyValid(RSAPublicKey pKey)  throws InvalidKeyException {
bd1ea0
+        try {
bd1ea0
+            RSAKeyFactory.checkRSAProviderKeyLengths(
bd1ea0
+                    pKey.getModulus().bitLength(),
bd1ea0
+                    pKey.getPublicExponent());
bd1ea0
+        } catch (InvalidKeyException ikEx) {
bd1ea0
+            throw ikEx;
bd1ea0
+        } catch (Exception e) {
bd1ea0
+            throw new InvalidKeyException(
bd1ea0
+                    "Can not access public key components", e);
bd1ea0
+        }
bd1ea0
+        isValid(pKey);
bd1ea0
+    }
bd1ea0
+
bd1ea0
     /**
bd1ea0
      * Validate the specified RSAKey and its associated parameters against
bd1ea0
      * internal signature parameters.
bd1ea0
      */
bd1ea0
-    private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
bd1ea0
+    private void isValid(RSAKey rsaKey) throws InvalidKeyException {
bd1ea0
         try {
bd1ea0
             AlgorithmParameterSpec keyParams = rsaKey.getParams();
bd1ea0
             // validate key parameters
bd1ea0
@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
bd1ea0
                 }
bd1ea0
                 checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
bd1ea0
             }
bd1ea0
-            return rsaKey;
bd1ea0
         } catch (SignatureException e) {
bd1ea0
             throw new InvalidKeyException(e);
bd1ea0
         }
bd1ea0
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
bd1ea0
index 6b219937981..b3c1fae9672 100644
bd1ea0
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
bd1ea0
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
bd1ea0
@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
bd1ea0
         RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
bd1ea0
         // check all CRT-specific components are available, if any one
bd1ea0
         // missing, return a non-CRT key instead
bd1ea0
-        if ((key.getPublicExponent().signum() == 0) ||
bd1ea0
-            (key.getPrimeExponentP().signum() == 0) ||
bd1ea0
-            (key.getPrimeExponentQ().signum() == 0) ||
bd1ea0
-            (key.getPrimeP().signum() == 0) ||
bd1ea0
-            (key.getPrimeQ().signum() == 0) ||
bd1ea0
-            (key.getCrtCoefficient().signum() == 0)) {
bd1ea0
+        if (checkComponents(key)) {
bd1ea0
+            return key;
bd1ea0
+        } else {
bd1ea0
             return new RSAPrivateKeyImpl(
bd1ea0
                 key.algid,
bd1ea0
                 key.getModulus(),
bd1ea0
-                key.getPrivateExponent()
bd1ea0
-            );
bd1ea0
-        } else {
bd1ea0
-            return key;
bd1ea0
+                key.getPrivateExponent());
bd1ea0
         }
bd1ea0
     }
bd1ea0
 
bd1ea0
+    /**
bd1ea0
+     * Validate if all CRT-specific components are available.
bd1ea0
+     */
bd1ea0
+    static boolean checkComponents(RSAPrivateCrtKey key) {
bd1ea0
+        return !((key.getPublicExponent().signum() == 0) ||
bd1ea0
+            (key.getPrimeExponentP().signum() == 0) ||
bd1ea0
+            (key.getPrimeExponentQ().signum() == 0) ||
bd1ea0
+            (key.getPrimeP().signum() == 0) ||
bd1ea0
+            (key.getPrimeQ().signum() == 0) ||
bd1ea0
+            (key.getCrtCoefficient().signum() == 0));
bd1ea0
+    }
bd1ea0
+
bd1ea0
     /**
bd1ea0
      * Generate a new key from the specified type and components.
bd1ea0
      * Returns a CRT key if possible and a non-CRT key otherwise.