|
 |
3fa52e |
# HG changeset patch
|
|
|
3fa52e |
# User valeriep
|
|
|
3fa52e |
# Date 1581468987 0
|
|
|
3fa52e |
# Wed Feb 12 00:56:27 2020 +0000
|
|
|
3fa52e |
# Node ID e47d22d82b0464720ccb7641e290080972b6ce88
|
|
|
3fa52e |
# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367
|
|
|
3fa52e |
8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
|
|
|
3fa52e |
Summary: Removed killSession() calls in certain impl classes when cancelling operations
|
|
|
3fa52e |
Reviewed-by: xuelei
|
|
|
3fa52e |
|
|
|
3fa52e |
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
|
|
3fa52e |
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
|
|
3fa52e |
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
|
|
3fa52e |
@@ -1,4 +1,5 @@
|
|
|
3fa52e |
-/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
+/*
|
|
|
3fa52e |
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
3fa52e |
*
|
|
|
3fa52e |
* This code is free software; you can redistribute it and/or modify it
|
|
|
3fa52e |
@@ -334,25 +335,25 @@
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
private void cancelOperation() {
|
|
|
3fa52e |
+ // cancel operation by finishing it; avoid killSession as some
|
|
|
3fa52e |
+ // hardware vendors may require re-login
|
|
|
3fa52e |
+ int bufLen = doFinalLength(0);
|
|
|
3fa52e |
+ byte[] buffer = new byte[bufLen];
|
|
|
3fa52e |
+ byte[] in = dataBuffer.toByteArray();
|
|
|
3fa52e |
+ int inLen = in.length;
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
- if (session.hasObjects() == false) {
|
|
|
3fa52e |
- session = token.killSession(session);
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
+ if (encrypt) {
|
|
|
3fa52e |
+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen,
|
|
|
3fa52e |
+ 0, buffer, 0, bufLen);
|
|
|
3fa52e |
} else {
|
|
|
3fa52e |
- // cancel operation by finishing it
|
|
|
3fa52e |
- int bufLen = doFinalLength(0);
|
|
|
3fa52e |
- byte[] buffer = new byte[bufLen];
|
|
|
3fa52e |
-
|
|
|
3fa52e |
- if (encrypt) {
|
|
|
3fa52e |
- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen,
|
|
|
3fa52e |
- 0, buffer, 0, bufLen);
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen,
|
|
|
3fa52e |
- 0, buffer, 0, bufLen);
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen,
|
|
|
3fa52e |
+ 0, buffer, 0, bufLen);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
} catch (PKCS11Exception e) {
|
|
|
3fa52e |
- throw new ProviderException("Cancel failed", e);
|
|
|
3fa52e |
+ if (encrypt) {
|
|
|
3fa52e |
+ throw new ProviderException("Cancel failed", e);
|
|
|
3fa52e |
+ }
|
|
|
3fa52e |
+ // ignore failure for decryption
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
@@ -434,18 +435,21 @@
|
|
|
3fa52e |
if (!initialized) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+ initialized = false;
|
|
|
3fa52e |
+
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
if (session == null) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+
|
|
|
3fa52e |
if (doCancel && token.explicitCancel) {
|
|
|
3fa52e |
cancelOperation();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
} finally {
|
|
|
3fa52e |
p11Key.releaseKeyID();
|
|
|
3fa52e |
session = token.releaseSession(session);
|
|
|
3fa52e |
+ dataBuffer.reset();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
- initialized = false;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
// see JCE spec
|
|
|
3fa52e |
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
|
3fa52e |
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
|
3fa52e |
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
|
3fa52e |
@@ -1,5 +1,5 @@
|
|
|
3fa52e |
/*
|
|
|
3fa52e |
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
3fa52e |
*
|
|
|
3fa52e |
* This code is free software; you can redistribute it and/or modify it
|
|
|
3fa52e |
@@ -409,10 +409,12 @@
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
initialized = false;
|
|
|
3fa52e |
+
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
if (session == null) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+
|
|
|
3fa52e |
if (doCancel && token.explicitCancel) {
|
|
|
3fa52e |
cancelOperation();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
@@ -426,22 +428,21 @@
|
|
|
3fa52e |
|
|
|
3fa52e |
private void cancelOperation() {
|
|
|
3fa52e |
token.ensureValid();
|
|
|
3fa52e |
- if (session.hasObjects() == false) {
|
|
|
3fa52e |
- session = token.killSession(session);
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
- // cancel operation by finishing it
|
|
|
3fa52e |
- int bufLen = doFinalLength(0);
|
|
|
3fa52e |
- byte[] buffer = new byte[bufLen];
|
|
|
3fa52e |
- if (encrypt) {
|
|
|
3fa52e |
- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
+ // cancel operation by finishing it; avoid killSession as some
|
|
|
3fa52e |
+ // hardware vendors may require re-login
|
|
|
3fa52e |
+ try {
|
|
|
3fa52e |
+ int bufLen = doFinalLength(0);
|
|
|
3fa52e |
+ byte[] buffer = new byte[bufLen];
|
|
|
3fa52e |
+ if (encrypt) {
|
|
|
3fa52e |
+ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
|
3fa52e |
+ } else {
|
|
|
3fa52e |
+ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
|
3fa52e |
+ }
|
|
|
3fa52e |
+ } catch (PKCS11Exception e) {
|
|
|
3fa52e |
+ if (encrypt) {
|
|
|
3fa52e |
throw new ProviderException("Cancel failed", e);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+ // ignore failure for decryption
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
|
3fa52e |
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
|
3fa52e |
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
|
3fa52e |
@@ -1,5 +1,5 @@
|
|
|
3fa52e |
/*
|
|
|
3fa52e |
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
3fa52e |
*
|
|
|
3fa52e |
* This code is free software; you can redistribute it and/or modify it
|
|
|
3fa52e |
@@ -124,10 +124,12 @@
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
initialized = false;
|
|
|
3fa52e |
+
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
if (session == null) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+
|
|
|
3fa52e |
if (doCancel && token.explicitCancel) {
|
|
|
3fa52e |
cancelOperation();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
@@ -139,15 +141,12 @@
|
|
|
3fa52e |
|
|
|
3fa52e |
private void cancelOperation() {
|
|
|
3fa52e |
token.ensureValid();
|
|
|
3fa52e |
- if (session.hasObjects() == false) {
|
|
|
3fa52e |
- session = token.killSession(session);
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
- token.p11.C_SignFinal(session.id(), 0);
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
- throw new ProviderException("Cancel failed", e);
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
+ // cancel operation by finishing it; avoid killSession as some
|
|
|
3fa52e |
+ // hardware vendors may require re-login
|
|
|
3fa52e |
+ try {
|
|
|
3fa52e |
+ token.p11.C_SignFinal(session.id(), 0);
|
|
|
3fa52e |
+ } catch (PKCS11Exception e) {
|
|
|
3fa52e |
+ throw new ProviderException("Cancel failed", e);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
@@ -209,7 +208,6 @@
|
|
|
3fa52e |
ensureInitialized();
|
|
|
3fa52e |
return token.p11.C_SignFinal(session.id(), 0);
|
|
|
3fa52e |
} catch (PKCS11Exception e) {
|
|
|
3fa52e |
- reset(true);
|
|
|
3fa52e |
throw new ProviderException("doFinal() failed", e);
|
|
|
3fa52e |
} finally {
|
|
|
3fa52e |
reset(false);
|
|
|
3fa52e |
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
|
3fa52e |
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
|
3fa52e |
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
|
3fa52e |
@@ -1,5 +1,5 @@
|
|
|
3fa52e |
/*
|
|
|
3fa52e |
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
3fa52e |
*
|
|
|
3fa52e |
* This code is free software; you can redistribute it and/or modify it
|
|
|
3fa52e |
@@ -223,10 +223,12 @@
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
initialized = false;
|
|
|
3fa52e |
+
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
if (session == null) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+
|
|
|
3fa52e |
if (doCancel && token.explicitCancel) {
|
|
|
3fa52e |
cancelOperation();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
@@ -242,14 +244,10 @@
|
|
|
3fa52e |
token.ensureValid();
|
|
|
3fa52e |
if (DEBUG) System.out.print("Cancelling operation");
|
|
|
3fa52e |
|
|
|
3fa52e |
- if (session.hasObjects() == false) {
|
|
|
3fa52e |
- if (DEBUG) System.out.println(" by killing session");
|
|
|
3fa52e |
- session = token.killSession(session);
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- // "cancel" operation by finishing it
|
|
|
3fa52e |
- if (mode == M_SIGN) {
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
+ // cancel operation by finishing it; avoid killSession as some
|
|
|
3fa52e |
+ // hardware vendors may require re-login
|
|
|
3fa52e |
+ try {
|
|
|
3fa52e |
+ if (mode == M_SIGN) {
|
|
|
3fa52e |
if (type == T_UPDATE) {
|
|
|
3fa52e |
if (DEBUG) System.out.println(" by C_SignFinal");
|
|
|
3fa52e |
token.p11.C_SignFinal(session.id(), 0);
|
|
|
3fa52e |
@@ -259,11 +257,7 @@
|
|
|
3fa52e |
if (DEBUG) System.out.println(" by C_Sign");
|
|
|
3fa52e |
token.p11.C_Sign(session.id(), digest);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
- throw new ProviderException("cancel failed", e);
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- } else { // M_VERIFY
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
+ } else { // M_VERIFY
|
|
|
3fa52e |
byte[] signature =
|
|
|
3fa52e |
new byte[(p11Key.length() + 7) >> 3];
|
|
|
3fa52e |
if (type == T_UPDATE) {
|
|
|
3fa52e |
@@ -275,10 +269,12 @@
|
|
|
3fa52e |
if (DEBUG) System.out.println(" by C_Verify");
|
|
|
3fa52e |
token.p11.C_Verify(session.id(), digest, signature);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
- // will fail since the signature is incorrect
|
|
|
3fa52e |
- // XXX check error code
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+ } catch (PKCS11Exception e) {
|
|
|
3fa52e |
+ if (mode == M_SIGN) {
|
|
|
3fa52e |
+ throw new ProviderException("cancel failed", e);
|
|
|
3fa52e |
+ }
|
|
|
3fa52e |
+ // ignore failure for verification
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
|
|
3fa52e |
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
|
|
3fa52e |
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
|
|
3fa52e |
@@ -1,5 +1,5 @@
|
|
|
3fa52e |
/*
|
|
|
3fa52e |
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
3fa52e |
*
|
|
|
3fa52e |
* This code is free software; you can redistribute it and/or modify it
|
|
|
3fa52e |
@@ -247,10 +247,12 @@
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
initialized = false;
|
|
|
3fa52e |
+
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
if (session == null) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+
|
|
|
3fa52e |
if (doCancel && token.explicitCancel) {
|
|
|
3fa52e |
cancelOperation();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
@@ -264,36 +266,33 @@
|
|
|
3fa52e |
// state variables such as "initialized"
|
|
|
3fa52e |
private void cancelOperation() {
|
|
|
3fa52e |
token.ensureValid();
|
|
|
3fa52e |
- if (session.hasObjects() == false) {
|
|
|
3fa52e |
- session = token.killSession(session);
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
- PKCS11 p11 = token.p11;
|
|
|
3fa52e |
- int inLen = maxInputSize;
|
|
|
3fa52e |
- int outLen = buffer.length;
|
|
|
3fa52e |
- long sessId = session.id();
|
|
|
3fa52e |
- switch (mode) {
|
|
|
3fa52e |
- case MODE_ENCRYPT:
|
|
|
3fa52e |
- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
|
3fa52e |
- break;
|
|
|
3fa52e |
- case MODE_DECRYPT:
|
|
|
3fa52e |
- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
|
3fa52e |
- break;
|
|
|
3fa52e |
- case MODE_SIGN:
|
|
|
3fa52e |
- byte[] tmpBuffer = new byte[maxInputSize];
|
|
|
3fa52e |
- p11.C_Sign(sessId, tmpBuffer);
|
|
|
3fa52e |
- break;
|
|
|
3fa52e |
- case MODE_VERIFY:
|
|
|
3fa52e |
- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
|
|
3fa52e |
- 0, outLen);
|
|
|
3fa52e |
- break;
|
|
|
3fa52e |
- default:
|
|
|
3fa52e |
- throw new ProviderException("internal error");
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
- // XXX ensure this always works, ignore error
|
|
|
3fa52e |
+ // cancel operation by finishing it; avoid killSession as some
|
|
|
3fa52e |
+ // hardware vendors may require re-login
|
|
|
3fa52e |
+ try {
|
|
|
3fa52e |
+ PKCS11 p11 = token.p11;
|
|
|
3fa52e |
+ int inLen = maxInputSize;
|
|
|
3fa52e |
+ int outLen = buffer.length;
|
|
|
3fa52e |
+ long sessId = session.id();
|
|
|
3fa52e |
+ switch (mode) {
|
|
|
3fa52e |
+ case MODE_ENCRYPT:
|
|
|
3fa52e |
+ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
|
3fa52e |
+ break;
|
|
|
3fa52e |
+ case MODE_DECRYPT:
|
|
|
3fa52e |
+ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
|
3fa52e |
+ break;
|
|
|
3fa52e |
+ case MODE_SIGN:
|
|
|
3fa52e |
+ byte[] tmpBuffer = new byte[maxInputSize];
|
|
|
3fa52e |
+ p11.C_Sign(sessId, tmpBuffer);
|
|
|
3fa52e |
+ break;
|
|
|
3fa52e |
+ case MODE_VERIFY:
|
|
|
3fa52e |
+ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
|
|
3fa52e |
+ 0, outLen);
|
|
|
3fa52e |
+ break;
|
|
|
3fa52e |
+ default:
|
|
|
3fa52e |
+ throw new ProviderException("internal error");
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+ } catch (PKCS11Exception e) {
|
|
|
3fa52e |
+ // XXX ensure this always works, ignore error
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
@@ -362,6 +361,7 @@
|
|
|
3fa52e |
private int implDoFinal(byte[] out, int outOfs, int outLen)
|
|
|
3fa52e |
throws BadPaddingException, IllegalBlockSizeException {
|
|
|
3fa52e |
if (bufOfs > maxInputSize) {
|
|
|
3fa52e |
+ reset(true);
|
|
|
3fa52e |
throw new IllegalBlockSizeException("Data must not be longer "
|
|
|
3fa52e |
+ "than " + maxInputSize + " bytes");
|
|
|
3fa52e |
}
|
|
|
3fa52e |
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
3fa52e |
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
3fa52e |
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
3fa52e |
@@ -1,5 +1,5 @@
|
|
|
3fa52e |
/*
|
|
|
3fa52e |
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
3fa52e |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
3fa52e |
*
|
|
|
3fa52e |
* This code is free software; you can redistribute it and/or modify it
|
|
|
3fa52e |
@@ -270,10 +270,12 @@
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
initialized = false;
|
|
|
3fa52e |
+
|
|
|
3fa52e |
try {
|
|
|
3fa52e |
if (session == null) {
|
|
|
3fa52e |
return;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+
|
|
|
3fa52e |
if (doCancel && token.explicitCancel) {
|
|
|
3fa52e |
cancelOperation();
|
|
|
3fa52e |
}
|
|
|
3fa52e |
@@ -284,59 +286,51 @@
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|
|
|
3fa52e |
private void cancelOperation() {
|
|
|
3fa52e |
-
|
|
|
3fa52e |
token.ensureValid();
|
|
|
3fa52e |
- if (session.hasObjects() == false) {
|
|
|
3fa52e |
- session = token.killSession(session);
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- // "cancel" operation by finishing it
|
|
|
3fa52e |
- // XXX make sure all this always works correctly
|
|
|
3fa52e |
+ // cancel operation by finishing it; avoid killSession as some
|
|
|
3fa52e |
+ // hardware vendors may require re-login
|
|
|
3fa52e |
+ try {
|
|
|
3fa52e |
if (mode == M_SIGN) {
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
- if (type == T_UPDATE) {
|
|
|
3fa52e |
- token.p11.C_SignFinal(session.id(), 0);
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- byte[] digest;
|
|
|
3fa52e |
- if (type == T_DIGEST) {
|
|
|
3fa52e |
- digest = md.digest();
|
|
|
3fa52e |
- } else { // T_RAW
|
|
|
3fa52e |
- digest = buffer;
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- token.p11.C_Sign(session.id(), digest);
|
|
|
3fa52e |
+ if (type == T_UPDATE) {
|
|
|
3fa52e |
+ token.p11.C_SignFinal(session.id(), 0);
|
|
|
3fa52e |
+ } else {
|
|
|
3fa52e |
+ byte[] digest;
|
|
|
3fa52e |
+ if (type == T_DIGEST) {
|
|
|
3fa52e |
+ digest = md.digest();
|
|
|
3fa52e |
+ } else { // T_RAW
|
|
|
3fa52e |
+ digest = buffer;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
- throw new ProviderException("cancel failed", e);
|
|
|
3fa52e |
+ token.p11.C_Sign(session.id(), digest);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
} else { // M_VERIFY
|
|
|
3fa52e |
byte[] signature;
|
|
|
3fa52e |
- try {
|
|
|
3fa52e |
- if (keyAlgorithm.equals("DSA")) {
|
|
|
3fa52e |
- signature = new byte[40];
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- signature = new byte[(p11Key.length() + 7) >> 3];
|
|
|
3fa52e |
+ if (keyAlgorithm.equals("DSA")) {
|
|
|
3fa52e |
+ signature = new byte[40];
|
|
|
3fa52e |
+ } else {
|
|
|
3fa52e |
+ signature = new byte[(p11Key.length() + 7) >> 3];
|
|
|
3fa52e |
+ }
|
|
|
3fa52e |
+ if (type == T_UPDATE) {
|
|
|
3fa52e |
+ token.p11.C_VerifyFinal(session.id(), signature);
|
|
|
3fa52e |
+ } else {
|
|
|
3fa52e |
+ byte[] digest;
|
|
|
3fa52e |
+ if (type == T_DIGEST) {
|
|
|
3fa52e |
+ digest = md.digest();
|
|
|
3fa52e |
+ } else { // T_RAW
|
|
|
3fa52e |
+ digest = buffer;
|
|
|
3fa52e |
}
|
|
|
3fa52e |
- if (type == T_UPDATE) {
|
|
|
3fa52e |
- token.p11.C_VerifyFinal(session.id(), signature);
|
|
|
3fa52e |
- } else {
|
|
|
3fa52e |
- byte[] digest;
|
|
|
3fa52e |
- if (type == T_DIGEST) {
|
|
|
3fa52e |
- digest = md.digest();
|
|
|
3fa52e |
- } else { // T_RAW
|
|
|
3fa52e |
- digest = buffer;
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- token.p11.C_Verify(session.id(), digest, signature);
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- } catch (PKCS11Exception e) {
|
|
|
3fa52e |
- long errorCode = e.getErrorCode();
|
|
|
3fa52e |
- if ((errorCode == CKR_SIGNATURE_INVALID) ||
|
|
|
3fa52e |
- (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
|
|
|
3fa52e |
- // expected since signature is incorrect
|
|
|
3fa52e |
- return;
|
|
|
3fa52e |
- }
|
|
|
3fa52e |
- throw new ProviderException("cancel failed", e);
|
|
|
3fa52e |
+ token.p11.C_Verify(session.id(), digest, signature);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
+ } catch (PKCS11Exception e) {
|
|
|
3fa52e |
+ if (mode == M_VERIFY) {
|
|
|
3fa52e |
+ long errorCode = e.getErrorCode();
|
|
|
3fa52e |
+ if ((errorCode == CKR_SIGNATURE_INVALID) ||
|
|
|
3fa52e |
+ (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
|
|
|
3fa52e |
+ // expected since signature is incorrect
|
|
|
3fa52e |
+ return;
|
|
|
3fa52e |
+ }
|
|
|
3fa52e |
+ }
|
|
|
3fa52e |
+ throw new ProviderException("cancel failed", e);
|
|
|
3fa52e |
}
|
|
|
3fa52e |
}
|
|
|
3fa52e |
|