Mercurial > hg > release > icedtea7-forest-2.1 > jdk
changeset 4653:3bf3f68bbe56
7099228: Use a PKCS11 config attribute to control encoding of an EC point
Reviewed-by: valeriep, mullan
author | vinnie |
---|---|
date | Fri, 14 Oct 2011 15:31:14 +0100 |
parents | 02de5cdbef21 |
children | 35a7ac263804 |
files | src/share/classes/sun/security/pkcs11/Config.java src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java src/share/classes/sun/security/pkcs11/P11Key.java src/share/classes/sun/security/pkcs11/wrapper/Functions.java src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java src/share/lib/security/sunpkcs11-solaris.cfg |
diffstat | 6 files changed, 35 insertions(+), 53 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs11/Config.java Wed Sep 07 21:05:24 2011 -0700 +++ b/src/share/classes/sun/security/pkcs11/Config.java Fri Oct 14 15:31:14 2011 +0100 @@ -192,6 +192,11 @@ // works only for NSS providers created via the Secmod API private boolean nssUseSecmodTrust = false; + // Flag to indicate whether the X9.63 encoding for EC points shall be used + // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString + // (false). + private boolean useEcX963Encoding = false; + private Config(String filename, InputStream in) throws IOException { if (in == null) { if (filename.startsWith("--")) { @@ -320,6 +325,10 @@ return nssUseSecmodTrust; } + boolean getUseEcX963Encoding() { + return useEcX963Encoding; + } + private static String expand(final String s) throws IOException { try { return PropertyExpander.expand(s); @@ -440,6 +449,8 @@ parseNSSArgs(word); } else if (word.equals("nssUseSecmodTrust")) { nssUseSecmodTrust = parseBooleanEntry(word); + } else if (word.equals("useEcX963Encoding")) { + useEcX963Encoding = parseBooleanEntry(word); } else { throw new ConfigurationException ("Unknown keyword '" + word + "', line " + st.lineno());
--- a/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Wed Sep 07 21:05:24 2011 -0700 +++ b/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Fri Oct 14 15:31:14 2011 +0100 @@ -203,16 +203,20 @@ private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception { byte[] encodedParams = ECParameters.encodeParameters(params); - byte[] rawPoint = ECParameters.encodePoint(point, params.getCurve()); - byte[] encodedPoint = null; + byte[] encodedPoint = + ECParameters.encodePoint(point, params.getCurve()); - // Wrap the EC point in a DER OCTET STRING - DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, rawPoint); - - try { - encodedPoint = pkECPoint.toByteArray(); - } catch (IOException e) { - throw new IllegalArgumentException("Could not DER encode point", e); + // Check whether the X9.63 encoding of an EC point shall be wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { + try { + encodedPoint = + new DerValue(DerValue.tag_OctetString, encodedPoint) + .toByteArray(); + } catch (IOException e) { + throw new + IllegalArgumentException("Could not DER encode point", e); + } } CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { @@ -223,26 +227,6 @@ }; attributes = token.getAttributes (O_IMPORT, CKO_PUBLIC_KEY, CKK_EC, attributes); - - // Check whether DER-encoded EC points are supported by the PKCS11 token - // (Some tokens support only the raw encoding for an EC point.) - for (int i = 0; i < attributes.length; i++) { - if (attributes[i].type == CKA_ENABLE_RAW_EC_POINT && - attributes[i].getBoolean()) { - // Must use the raw encoding for the EC point - for (int j = 0; j < attributes.length; j++) { - if (attributes[j].type == CKA_EC_POINT) { - attributes[j].pValue = rawPoint; - // Overwrite the CKA_ENABLE_RAW_EC_POINT attribute too - attributes[i].type = CKA_EC_POINT; - attributes[i].pValue = rawPoint; - break; - } - } - break; - } - } - Session session = null; try { session = token.getObjSession();
--- a/src/share/classes/sun/security/pkcs11/P11Key.java Wed Sep 07 21:05:24 2011 -0700 +++ b/src/share/classes/sun/security/pkcs11/P11Key.java Fri Oct 14 15:31:14 2011 +0100 @@ -1003,28 +1003,21 @@ try { params = P11ECKeyFactory.decodeParameters (attributes[1].getByteArray()); - - /* - * An uncompressed EC point may be in either of two formats. - * First try the OCTET STRING encoding: - * 04 <length> 04 <X-coordinate> <Y-coordinate> - * - * Otherwise try the raw encoding: - * 04 <X-coordinate> <Y-coordinate> - */ byte[] ecKey = attributes[0].getByteArray(); - try { + // Check whether the X9.63 encoding of an EC point is wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { DerValue wECPoint = new DerValue(ecKey); - if (wECPoint.getTag() != DerValue.tag_OctetString) - throw new IOException("Unexpected tag: " + - wECPoint.getTag()); + if (wECPoint.getTag() != DerValue.tag_OctetString) { + throw new IOException("Could not DER decode EC point." + + " Unexpected tag: " + wECPoint.getTag()); + } w = P11ECKeyFactory.decodePoint (wECPoint.getDataBytes(), params.getCurve()); - } catch (IOException e) { - // Failover + } else { w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); }
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java Wed Sep 07 21:05:24 2011 -0700 +++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java Fri Oct 14 15:31:14 2011 +0100 @@ -885,7 +885,6 @@ addAttribute(CKA_MODIFIABLE, "CKA_MODIFIABLE"); addAttribute(CKA_EC_PARAMS, "CKA_EC_PARAMS"); addAttribute(CKA_EC_POINT, "CKA_EC_POINT"); - addAttribute(CKA_ENABLE_RAW_EC_POINT, "CKA_ENABLE_RAW_EC_POINT"); addAttribute(CKA_SECONDARY_AUTH, "CKA_SECONDARY_AUTH"); addAttribute(CKA_AUTH_PIN_FLAGS, "CKA_AUTH_PIN_FLAGS"); addAttribute(CKA_HW_FEATURE_TYPE, "CKA_HW_FEATURE_TYPE");
--- a/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java Wed Sep 07 21:05:24 2011 -0700 +++ b/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java Fri Oct 14 15:31:14 2011 +0100 @@ -413,9 +413,6 @@ public static final long CKA_VENDOR_DEFINED = 0x80000000L; - /* Only the raw encoding for an EC point is supported */ - public static final long CKA_ENABLE_RAW_EC_POINT = (CKA_VENDOR_DEFINED | 1); - /* the following mechanism types are defined: */ public static final long CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000L; public static final long CKM_RSA_PKCS = 0x00000001L;
--- a/src/share/lib/security/sunpkcs11-solaris.cfg Wed Sep 07 21:05:24 2011 -0700 +++ b/src/share/lib/security/sunpkcs11-solaris.cfg Fri Oct 14 15:31:14 2011 +0100 @@ -11,12 +11,10 @@ handleStartupErrors = ignoreAll -attributes = compatibility +# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString). +useEcX963Encoding = true -# Support only the raw encoding for an EC point -attributes (*, CKO_PUBLIC_KEY, CKK_EC) = { - CKA_ENABLE_RAW_EC_POINT = true -} +attributes = compatibility disabledMechanisms = { # the following mechanisms are disabled due to lack of digest cloning support