Mercurial > hg > openjdk > jdk6 > jdk
changeset 1731:1419e995bc69
8181692: Update storage implementations
Reviewed-by: weijun, igerasim
author | igerasim |
---|---|
date | Wed, 12 Jul 2017 11:21:55 -0700 |
parents | 28bb1ac1f01c |
children | fe83e4b18082 |
files | src/share/classes/com/sun/crypto/provider/KeyProtector.java src/share/classes/com/sun/crypto/provider/PBECipherCore.java src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java |
diffstat | 3 files changed, 85 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/com/sun/crypto/provider/KeyProtector.java Wed Jun 07 11:43:14 2017 -0700 +++ b/src/share/classes/com/sun/crypto/provider/KeyProtector.java Wed Jul 12 11:21:55 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,6 +38,7 @@ import java.security.NoSuchProviderException; import java.security.UnrecoverableKeyException; import java.security.AlgorithmParameters; +import java.security.spec.InvalidParameterSpecException; import java.security.spec.PKCS8EncodedKeySpec; import javax.crypto.Cipher; @@ -74,6 +75,8 @@ // keys in the keystore implementation that comes with JDK 1.2) private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; + private static final int MAX_ITERATION_COUNT = 5000000; + private static final int ITERATION_COUNT = 200000; private static final int SALT_LEN = 20; // the salt length private static final int DIGEST_LEN = 20; @@ -102,7 +105,7 @@ SunJCE.RANDOM.nextBytes(salt); // create PBE parameters from salt and iteration count - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); + PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, ITERATION_COUNT); // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -157,6 +160,9 @@ pbeParams.init(encodedParams); PBEParameterSpec pbeSpec = pbeParams.getParameterSpec(PBEParameterSpec.class); + if (pbeSpec.getIterationCount() > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -287,7 +293,7 @@ SunJCE.RANDOM.nextBytes(salt); // create PBE parameters from salt and iteration count - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); + PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, ITERATION_COUNT); // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -328,6 +334,15 @@ throw new UnrecoverableKeyException("Cannot get " + "algorithm parameters"); } + PBEParameterSpec pbeSpec; + try { + pbeSpec = params.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException("Invalid PBE algorithm parameters"); + } + if (pbeSpec.getIterationCount() > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } PBEWithMD5AndTripleDESCipher cipherSpi; cipherSpi = new PBEWithMD5AndTripleDESCipher(); Cipher cipher = new CipherForKeyProtector(cipherSpi, PROV,
--- a/src/share/classes/com/sun/crypto/provider/PBECipherCore.java Wed Jun 07 11:43:14 2017 -0700 +++ b/src/share/classes/com/sun/crypto/provider/PBECipherCore.java Wed Jul 12 11:21:55 2017 -0700 @@ -288,7 +288,7 @@ for (i=0; i<2; i++) { byte tmp = salt[i]; salt[i] = salt[3-i]; - salt[3-1] = tmp; + salt[3-i] = tmp; } }
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Wed Jun 07 11:43:14 2017 -0700 +++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java Wed Jul 12 11:21:55 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,10 +39,12 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; +import java.security.spec.InvalidParameterSpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.util.*; import java.security.AlgorithmParameters; +import java.security.InvalidAlgorithmParameterException; import javax.crypto.spec.PBEParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.SecretKeyFactory; @@ -120,6 +122,11 @@ public static final int VERSION_3 = 3; + private static final int MAX_ITERATION_COUNT = 5000000; + private static final int PBE_ITERATION_COUNT = 50000; // default + private static final int MAC_ITERATION_COUNT = 100000; // default + private static final int SALT_LEN = 20; + private static final Debug debug = Debug.getInstance("pkcs12"); private static final int keyBag[] = {1, 2, 840, 113549, 1, 12, 10, 1, 2}; @@ -144,8 +151,6 @@ private static ObjectIdentifier pbeWithSHAAnd3KeyTripleDESCBC_OID; private int counter = 0; - private static final int iterationCount = 1024; - private static final int SALT_LEN = 20; // private key count // Note: This is a workaround to allow null localKeyID attribute @@ -235,6 +240,7 @@ byte[] encryptedKey; AlgorithmParameters algParams; ObjectIdentifier algOid; + try { // get the encrypted private key EncryptedPrivateKeyInfo encrInfo = @@ -256,6 +262,23 @@ } try { + PBEParameterSpec pbeSpec; + int ic = 0; + + if (algParams != null) { + try { + pbeSpec = + algParams.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException("Invalid PBE algorithm parameters"); + } + ic = pbeSpec.getIterationCount(); + + if (ic > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } + } + // Use JCE SecretKey skey = getPBEKey(password); Cipher cipher = Cipher.getInstance(algOid.toString()); @@ -502,19 +525,19 @@ /* * Generate PBE Algorithm Parameters */ - private AlgorithmParameters getAlgorithmParameters(String algorithm) + private AlgorithmParameters getPBEAlgorithmParameters(String algorithm) throws IOException { AlgorithmParameters algParams = null; // create PBE parameters from salt and iteration count PBEParameterSpec paramSpec = - new PBEParameterSpec(getSalt(), iterationCount); + new PBEParameterSpec(getSalt(), PBE_ITERATION_COUNT); try { algParams = AlgorithmParameters.getInstance(algorithm); algParams.init(paramSpec); } catch (Exception e) { - throw new IOException("getAlgorithmParameters failed: " + + throw new IOException("getPBEAlgorithmParameters failed: " + e.getMessage(), e); } return algParams; @@ -583,7 +606,7 @@ try { // create AlgorithmParameters AlgorithmParameters algParams = - getAlgorithmParameters("PBEWithSHA1AndDESede"); + getPBEAlgorithmParameters("PBEWithSHA1AndDESede"); // Use JCE SecretKey skey = getPBEKey(password); @@ -844,7 +867,7 @@ // generate MAC (MAC key is generated within JCE) Mac m = Mac.getInstance("HmacPBESHA1"); PBEParameterSpec params = - new PBEParameterSpec(salt, iterationCount); + new PBEParameterSpec(salt, MAC_ITERATION_COUNT); SecretKey key = getPBEKey(passwd); m.init(key, params); m.update(data); @@ -852,7 +875,7 @@ // encode as MacData MacData macData = new MacData(algName, macResult, salt, - iterationCount); + MAC_ITERATION_COUNT); DerOutputStream bytes = new DerOutputStream(); bytes.write(macData.getEncoded()); mData = bytes.toByteArray(); @@ -1128,7 +1151,7 @@ // create AlgorithmParameters AlgorithmParameters algParams = - getAlgorithmParameters("PBEWithSHA1AndRC2_40"); + getPBEAlgorithmParameters("PBEWithSHA1AndRC2_40"); DerOutputStream bytes = new DerOutputStream(); AlgorithmId algId = new AlgorithmId(pbeWithSHAAnd40BitRC2CBC_OID, algParams); @@ -1264,6 +1287,30 @@ ObjectIdentifier algOid = in.getOID(); AlgorithmParameters algParams = parseAlgParameters(in); + PBEParameterSpec pbeSpec; + int ic = 0; + + if (algParams != null) { + try { + pbeSpec = + algParams.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException( + "Invalid PBE algorithm parameters"); + } + ic = pbeSpec.getIterationCount(); + + if (ic > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } + } + + if (debug != null) { + debug.println("Loading PKCS#7 encryptedData " + + "(" + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); + } + try { // Use JCE SecretKey skey = getPBEKey(password); @@ -1288,8 +1335,15 @@ // The MacData is optional. if (password != null && s.available() > 0) { MacData macData = new MacData(s); + int ic = macData.getIterations(); + try { - String algName = macData.getDigestAlgName().toUpperCase(); + if (ic > MAX_ITERATION_COUNT) { + throw new InvalidAlgorithmParameterException( + "MAC iteration count too large: " + ic); + } + + String algName = macData.getDigestAlgName().toUpperCase(); if (algName.equals("SHA") || algName.equals("SHA1") || algName.equals("SHA-1")) { @@ -1299,8 +1353,7 @@ // generate MAC (MAC key is created within JCE) Mac m = Mac.getInstance("HmacPBE" + algName); PBEParameterSpec params = - new PBEParameterSpec(macData.getSalt(), - macData.getIterations()); + new PBEParameterSpec(macData.getSalt(), ic); SecretKey key = getPBEKey(password); m.init(key, params); m.update(authSafeData);